b"Report No. D-2008-104              June 23, 2008\n\n\n\n\n       DoD Implementation of Homeland\n       Security Presidential Directive-12\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest ideas for or to request future audits, contact the Office of the Deputy Inspector\nGeneral for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703) 604-8932. Ideas\nand requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                       Arlington, VA 22202-4704\n\x0c                                      INSPECTOR GENERAL\n\n                                    DEPARTMENT OF DEFENSE\n\n                                     400 ARMY NAVY DRIVE\n\n                                ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                                     June 23, 2008\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR PERSONNEL AND\n                 READINESS\n               UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE\n               ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND\n                 INFORMATION INTEGRATIONIDOD CHIEF INFORMATION\n                 OFFICER\n\n\nSUBJECT: DoD Implementation of Homeland Security Presidential Directive-12\n          (Report No. D-2008-104)\n\nWeare providing this report for your review and comment.\n\nWe performed the audit in response to a request from the Office of Management and Budget that\nthe President's Council on Integrity and Efficiency review agency processes and help ensure they\nare consistent with HSPD-12 and FIPS 201-1. We considered comments from the Under\nSecretary of Defense for Personnel and Readiness, the Under Secretary of Defense for\nIntelligence, and the Assistant Secretary of Defense for Networks and Information\nIntegrationIDoD Chief Information Officer on a draft of the report in preparing the final report.\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly.\nRecommendations B.1. and B.2.a. have been clarified in response to management comments.. We\nrequest additional comments from the Under Secretary of Defense for Personnel and Readiness,\nthe Under Secretary of Defense for Intelligence, and the Assistant Secretary of Defense for\nNetworks and Information IntegrationIDoD Chief Information Officer as detailed in the\nrecommendations table on page ii by July 30, 2008.\n\nIf possible, please send management comments in electronic format (Adobe Acrobat file only) to\nAUDROS@dodig.mil. Copies of the management comments must contain the actual signature of\nthe authorizing official. We cannot accept the / Signed / symbol in place of the actual signature.\nIf you arrange to send classified comments electronically, they must be sent over the SECRET\nInternet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to Mr. Donald Bloomer\nat (703) 604-8863 (DSN 664-8863) or Mr. Robert Johnson at (703) 604-9024 (DSN 664-9024).\nThe team members are listed inside the back cover.\n\n\n\n                                             /~~\n                                             Pau~an~tto\n                                             Principal Assistant Inspector General\n                                                    for Auditing\n\x0c\x0c                       Report No. D-2008-104 (Project No. D2007-D000LB-0153.000)\n                                              June 23, 2008\n\n                  Results in Brief: DoD Implementation of\n                  Homeland Security Presidential Directive-12\n\n\nWhat We Did                                               What We Recommend\nWe performed the audit in response to a request              \xe2\x80\xa2   Issue comprehensive DoD HSPD-12\nfrom the Office of Management and Budget that the                implementation guidance within 90\nPresident\xe2\x80\x99s Council on Integrity and Efficiency                  days.\nreview agency processes and help ensure they are             \xe2\x80\xa2   Revise and update DoD Directives and\nconsistent with HSPD-12 and FIPS 201-1. We                       Instructions to incorporate Federal\nevaluated DoD business processes to determine                    Information Processing Standards\nwhether they comply with directives and standards                requirements.\nto develop secure and reliable Personal Identity             \xe2\x80\xa2   Submit proposed end-state PIV\nVerification (PIV) credentials.                                  credential to GSA for conformance\n                                                                 testing.\nWhat We Found\nDoD is not complying with HSPD-12 requirements,           Client Comments and Our\nhas not issued comprehensive HSPD-12                      Responses\nimplementation guidance to DoD Components, and\n                                                          The Under Secretary of Defense (Personnel and\nhas not met HSPD-12 implementation milestones.\n                                                          Readiness) agreed with two, partially agreed\nDoD policy on physical access controls needs to be\n                                                          with two, and deferred on three\nupdated to comply with HSPD-12 policy objectives.\n                                                          recommendations. He has agreed to work with\nSpecific examples follow.\n                                                          other DoD offices in the next 3 months to\n  \xe2\x80\xa2 DoD did not meet Government-wide\n                                                          identify milestones to incorporate in the DoD\n     milestones for completing background checks.\n                                                          HSPD-12 Implementation Plan. The Under\n  \xe2\x80\xa2 Personnel at stations that issue the Common           Secretary of Defense (Intelligence) agreed with\n     Access Card cannot electronically verify             three, partially agreed with two, and disagreed\n     whether card applicants have initiated or            with two recommendations. He required all\n     completed a National Agency Check with               new access control systems to comply with\n     Written Inquiries.                                   FIPS 201-1. The Assistant Secretary of Defense\n  \xe2\x80\xa2 DoD displays the full Social Security number          for Networks and Information Integration/Chief\n     on the Geneva Conventions credential,                Information Officer disagreed with developing a\n     increasing the risk of identity theft.               FIPS 201-1-compliant authentication certificate\n  \xe2\x80\xa2 Components are purchasing equipment that is           within 6 months, citing extenuating circum-\n     not compliant with HSPD-12.                          stances. In the absence of obtaining a waiver,\n  \xe2\x80\xa2 DoD is using barcode technology on the                DoD should comply with FIPS 201-1. We\n     Defense Biometric Identification System              revised two recommendations to clarify their\n     credential that is not equivalent to mandatory       intent. We request comments on the final report\n     HSPD-12 security features.                           by July 30, 2008. Please see the\n  \xe2\x80\xa2 DoD\xe2\x80\x99s current PIV credential does not meet            recommendations table on the back of this page\n     interoperability requirements and needs to be        for details.\n     updated.\n\n\n                                                      i\n\x0c               Report No. D-2008-104 (Project No. D2007-D000LB-0153.000)\n                                      June 23, 2008\n\nRecommendations Table\nClient                           Recommendations           No Additional Comments\n                                 Requiring Comment         Required\nUnder Secretary of Defense for   A.1.b., B.1., B.2.a.,     A.1.a., A.1.c., A.2., B.2.b.\nPersonnel and Readiness\n\nUnder Secretary of Defense for   A.2., B.2.a., B.3.a.1.,   B.2.b., B.3.a.3., B.3.b.\nIntelligence                     B.3.a.2.,\n\nAssistant Secretary of Defense   A.3.\nfor Networks and Information\nIntegration/DoD Chief\nInformation Officer\n\n\nPlease provide comments by July 30, 2008.\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nResults in Brief                                                      i\n\nIntroduction                                                         1\n\n       Objectives                                                    1\n       Background                                                    1\n       Review of Internal Controls                                   2\n\nFinding A. Implementation of Directive                                3\n\n       Recommendations                                                9\n\nFinding B. Issuance of Implementation Guidance                       15\n\n       Recommendations                                               20\n\nAppendices\n\n       A. Scope and Methodology                                      25\n              Prior Coverage                                         26\n       B. Guidance on Identification and Access Control              27\n       C. Client Comments on the Findings and Audit Response         32\n       D. Glossary                                                   53\n       E. List of Acronyms and Abbreviations                         55\n\nClient Comments\n       Under Secretary of Defense for Personnel and Readiness        57\n       Under Secretary of Defense for Intelligence                   67\n       Assistant Secretary of Defense for Networks and Information\n          Integration/DoD Chief Information Officer                  73\n\x0c\x0cIntroduction\nObjectives\nOur overall audit objective was to determine whether DoD is complying with the\nrequirements of Homeland Security Presidential Directive-12 to enhance the quality and\nsecurity of the identification that Federal employees and contractors use, and to\nimplement common personal identity verification (PIV) credentials1 that will be strongly\nresistant to terrorist exploitation. Specifically, we evaluated whether DoD business\nprocesses comply with directives and standards to develop PIV credentials that are secure\nand reliable forms for identifying DoD employees and contractors.\n\nBackground\nPresident Bush signed the Homeland Security Presidential Directive-12 (HSPD-12) on\nAugust 27, 2004. HSPD-12 objectives are to enhance security, increase Government\nefficiency, reduce identity fraud, and protect personal privacy. HSPD-12 establishes a\nmandatory, Government-wide standard for secure and reliable forms of identification\nissued by Federal agencies to their employees and contractors. The Presidential Directive\ndefines secure and reliable identification as being (a) issued based on sound criteria for\nverifying an individual employee\xe2\x80\x99s identity; (b) strongly resistant to identity fraud,\ntampering, counterfeiting, and terrorist exploitation; (c) capable of rapid electronic\nauthentication; and (d) issued only by accredited providers. As required by HSPD-12,\nthe Secretary of Commerce promulgated Federal Information Processing Standard\n(FIPS) 201, \xe2\x80\x9cPersonal Identity Verification (PIV) of Federal Employees and\nContractors,\xe2\x80\x9d February 25, 2005, which established minimum requirements for a Federal\npersonal identity verification system (PIV-I) and detailed technical specifications of\ncomponents and processes required for interoperability of PIV cards (PIV-II). On March\n2006, the Secretary of Commerce issued FIPS 201 Change Notice 1 (FIPS 201-1),\nupdating the requirements established by FIPS 201.\n\nOffice of Management and Budget (OMB) Memorandum M-05-24, \xe2\x80\x9cImplementation of\nHomeland Security Presidential Directive-12 Policy for a Common Identification\nStandard for Federal Employees and Contractors,\xe2\x80\x9d August 5, 2005, establishes timelines\nand milestones for FIPS 201-1-compliance. OMB Memorandum M-07-06, \xe2\x80\x9cValidating\nand Monitoring Agency Issuance of Personal Identity Verification Credentials,\xe2\x80\x9d\nJanuary 11, 2007, required all Federal agencies to submit their FIPS 201-1-compliant\ncredential to the General Services Administration for testing by January 19, 2007. The\nmemorandum announced that agencies would be contacted by their Inspector General to\nensure business processes are being followed to foster the environment of trust needed\nfor the credentials to be accepted by departments and agencies when deemed appropriate\nin implementing HSPD-12.\n\n\n\n1\n    See Appendix D for definitions of \xe2\x80\x9ccredentials\xe2\x80\x9d and other terms used in this report.\n\n\n                                                        1\n\x0cAgencies may elect to implement HSPD-12 through either a transitional or an end-point\ncredential. DoD is the only agency granted transitional status by OMB because DoD\nalready has a smart card program. DoD must achieve the end-point credential\nspecification for all cardholders at some point. OMB established October 27, 2006, as\nthe date for issuing an initial end-point credential by all agencies; however, OMB has not\nestablished a deadline for DoD to achieve initial operational capability. In early 2007,\nDoD began to issue a limited number of transitional credentials to individuals whose\nprevious credentials had expired. In the quarterly DoD PIV Status Report dated\nDecember 26, 2007, DoD reported it had issued 56 credentials as of March 2007. After\nthe issuance of our draft report, the April 1, 2008, quarterly DoD PIV Status Report cited\n108,778 total PIV cards issued: 83,659 to employees and 25,119 to contractors. DoD had\nnot completed development of an end-point credential as of May 2008.\n\nThe Under Secretary of Defense for Personnel and Readiness is responsible for the timely\nimplementation of HSPD-12 for the Department of Defense. The Defense Manpower\nData Center (DMDC) has been assigned responsibility for development of a DoD\ncommon access card meeting the requirements of HSPD-12. We visited the DMDC East\nfacility to determine the stage of HSPD-12 compliance and to review common access\ncard (CAC) testing, issuance, and infrastructure. To determine HSPD-12 compliance at\ninstallations, we also visited 13 military and Coast Guard installations\xe2\x80\x94all with CAC\nissuance facilities. We visited Defense Supply Center-Philadelphia and the Defense\nLogistics Agency concerning a photoless ID cardholder.\n\n\nReview of Internal Controls\nWe identified an internal control weakness for DoD as defined by DoD\nInstruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006. DoD did not have adequate internal controls to ensure DoD compliance\nwith the requirements of HSPD-12. DoD has not issued comprehensive HSPD-12\nimplementation guidance. Further, existing guidance pertaining to various aspects of\nHSPD-12 implementation, such as DoD Regulation 5200.08-R and DoD Directive\n1000.25, is contrary to HSPD-12 policy. See finding B for specific results of those\nweaknesses. Implementing the recommendations made in this report will correct the\nweaknesses. A copy of this report will be provided to the senior official responsible for\ninternal controls in DoD.\n\n\n\n\n                                            2\n\x0cA. Implementation of Directive\nDoD did not meet the milestones approved by the Office of Management and Budget\n(OMB) in 2005 for compliance with Homeland Security Presidential Directive-12\n(HSPD-12) by 2010. DoD missed these milestones in part because it declared a\n\xe2\x80\x9cstrategic pause\xe2\x80\x9d in HSPD-12 implementation from April to December 2007, and has not\nmet HSPD-12 minimum standards for its transitional program. In addition, DoD has not\nprovided centralized funding for critical required elements of HSPD-12 implementation.\nAs a consequence, the intended benefits of HSPD-12 to enhance security, increase\nGovernment efficiency, reduce identity fraud, protect personal privacy, and reduce the\npotential for terrorist exploitation will not begin to be realized by the Department until at\nleast 2012.\n\nImplementation Milestones and Strategic Pause\nIn June 2005 DoD submitted its HSPD-12 Implementation Plan to OMB for approval.\nOMB approved DoD milestones for the Personal Identity Verification (PIV)-I and PIV-II\nrequirements to support DoD achieving full compliance with HSPD-12 requirements by\nApril 2010. DoD\xe2\x80\x99s updated January 2008 HSPD-12 Implementation Plan documents the\nfailure of the Department to meet critical HSPD-12 implementation milestones.\nImplementation challenges remain that threaten to further delay full compliance with\nHSPD-12 requirements.\n\nDoD attributes the adjustments in implementing HSPD-12 milestones to a strategic pause\ntaken to update infrastructure for issuing CACs. DoD\xe2\x80\x99s transition to a Web services\narchitecture has not been as trouble-free as anticipated. In April 2007, DoD declared a\nstrategic pause in the implementation of the Web version of its issuance infrastructure\nuntil December of 2007. After the strategic pause, DoD recommenced with the upgrade\nof its issuance infrastructure to the Web service architecture and full compliance with the\nFIPS 201-1, PIV-II requirements. DoD will need a year from the December 2007\nreinitiation to upgrade the entire infrastructure. The strategic pause directly affected the\nDepartment\xe2\x80\x99s ability to achieve full implementation of HSPD-12 PIV-I and PIV-II\nrequirements.\n\nPersonal Identity Verification-I Requirements\nPIV-I requirements are the minimum requirements for a Federal personal identification\nverification system that meets the control and security objectives of HSPD-12, including\npersonal identity proofing and registration, issuance, and privacy protection.\n\n   1. PIV identity proofing and registration requirements include the initiation of a\n      National Agency Check with Written Inquiries (NACI) background check.\n      FIPS 201-1 Part 2 requires that when a PIV credential is issued to a Federal\n      employee or contractor without a completed NACI background check, the\n      credential must be electronically distinguishable from that issued to an individual\n      who has completed a NACI background check.\n\n\n                                              3\n\x0c   2. PIV issuance requirements state that, at the time of issuance, the PIV applicant\xe2\x80\x99s\n      identity must be verified as the person intended to receive the PIV credential and\n      for whom the background check was completed.\n\n   3. Protecting personal privacy is a requirement of the PIV system.\n\nBackground Checks\nFIPS 201-1 requires that employees and contractors who are issued a PIV credential\nundergo, at a minimum, a NACI or OPM or National Security community investigation\nequivalent background check. The background check must be initiated and the\nfingerprint check completed before the issuance of any PIV credential. Further, at the\ntime of PIV issuance, the issuing official is required to verify the status of the NACI\nprocess for the applicant (completed or ongoing). Credentials issued to individuals\nwithout a completed NACI or the equivalent must be electronically distinguishable from\ncredentials issued to individuals who have a completed investigation.\n\nAutomated Verification of Status\nThe Director of DMDC issued a memorandum on September 12, 2007, stating that\nDMDC is working closely with the Office of the Deputy Under Secretary of Defense for\nIntelligence, Counterintelligence, and Security to establish an automated capability to\nverify the status of an individual\xe2\x80\x99s background check. However, DoD does not intend to\nproduce identity credentials that will include an electronic indication of the status of a\nNACI. Further, DoD has yet to establish an automated mechanism to verify that all\nindividuals receiving the PIV credential have at least initiated, if not completed, the\nrequired NACI background investigation.\n\nDeadlines for Completion of Background Checks\nOffice of Management and Budget Memorandum M-05-24 mandates that agencies:\n\n   \xe2\x80\xa2   by October 27, 2007, verify or complete background checks for all current\n       employees and contractors, except for agency employees employed more than 15\n       years; and\n\n   \xe2\x80\xa2   by October 27, 2008, complete background checks for all Federal department or\n       agency employees employed more than15 years.\n\nDoD did not meet the OMB deadline of October 27, 2007, for current employees and\ncontractors. According to DoD\xe2\x80\x99s January 2008 Implementation Plan, as of December 26,\n2007, the following numbers of DoD employees and contractors had not completed the\nrequired background checks.\n\n\n\n\n                                             4\n\x0c        DoD Employees and Contractors With Incomplete Background Checks\n\n                                 Military or Civilian           1,240,214\n                                 Contractors                      196,185\n                                   Total                       *1,436,399\n          *DoD\xe2\x80\x99s January 2008 Implementation Plan noted that these numbers may not be an accurate\nreflection of the completed qualifying investigations, but a reflection of data quality in the DoD Joint\nPersonnel Adjudication System.\n\n\n\nPrivacy Requirements\nHSPD-12 explicitly states that protecting personal privacy is a requirement of the PIV-I\nimplementation policy. All departments and agencies shall implement the PIV system in\naccordance with the spirit and letter of privacy controls specified by HSPD-12 and in\nFederal privacy laws and policies. The DoD Geneva Conventions credential for\nmembers of the uniformed services does not comply with HSPD-12 or with Federal\npolicies and requirements to reduce identity fraud and protect personal privacy.\n\nThe continued display of Social Security numbers on the DoD Geneva Conventions\ncredential is the result of adherence to guidance that does not reflect changes in Federal\npolicies, technological advancements, or the increased need to protect personal\ninformation. DoD began displaying the Social Security number on identification badges\nin 1967. In 2007 OMB instructed Federal departments and agencies to take steps to\nreduce the risk related to loss of personally identifiable information. In 2007 OMB\nissued guidance to Federal agencies to eliminate unnecessary use of Social Security\nnumbers and strengthen protection of personal information from loss or theft. In 2006\nCongress identified the inherent risk of displaying the full Social Security number on\nidentification credentials and the need to protect individuals\xe2\x80\x99 right to privacy and reduce\nthe risk of identity theft. Printing of the Social Security numbers in conjunction with the\nindividuals\xe2\x80\x99 dates of birth on DoD credentials unnecessarily exposes individuals\xe2\x80\x99\npersonal privacy information and increases the risk of identity theft.\n\nIn response to an FY 2007 congressional request, DoD issued a report to Congress,\n\xe2\x80\x9cOmission of the SSN from the Department of Defense Military Identification Cards,\xe2\x80\x9d\nMay 23, 2007. In it, the Under Secretary of Defense for Personnel and Readiness\n(USD [P&R]) recommended removing the full Social Security number from view on\nidentification credentials, instead displaying only the last four digits. The full Social\nSecurity number would be retained in the portable data file 417 two-dimensional barcode\nand the integrated circuit chip on the credential. No timetable was provided to implement\nthe recommendation, however, nor did the report specify who was responsible for\nimplementation. The current appearance of DoD\xe2\x80\x99s Geneva Conventions credential\nunnecessarily compromises personal privacy and increases the risk of identity theft and\nthe potential for terrorist exploitation. DoD should immediately require USD(P&R) to\nimplement the recommendation to print only the last four digits of the Social Security\nnumber on the Geneva Conventions credential.\n\n\n\n                                                      5\n\x0cPersonal Identity Verification-II Requirements\nPIV-II requirements are the detailed technical specifications of components and processes\nrequired for interoperability of PIV credentials for personal authentication, access\ncontrols, and PIV card management across Federal departments and agencies. HSPD-12\nenvisions that when Federal departments and agencies issue and manage the required,\nfully interoperable PIV credentials, individuals\xe2\x80\x99 identity can be authenticated\nGovernment-wide, thus increasing the security of Federal facilities and information\nsystems. DoD did not meet the March 2006 PIV-II initial operational capability\nimplementation milestone approved by OMB in the DoD Implementation Plan, nor did\nDoD meet the October 2006 OMB milestone for PIV-II implementation.\n\nDoD PIV PKI Authentication Certificate\nOne of the technical specifications for a PIV-II-compliant card is a Public Key\nInfrastructure (PKI) authentication certificate. Because of the Department\xe2\x80\x99s strategic\npause, resources allocated to support the development of the authentication certificate\nwere reallocated. The reallocation has caused a delay in the development, testing, and\nissuance of the authentication certificate. As a result, DoD now plans to delay issuance\nof the authentication certificate until the third quarter of FY 2008. The current DoD\ncredential contains three certificates: (1) digital signature certificate, (2) key management\ncertificate, and (3) card authentication certificate. The DoD Public Key Infrastructure\nProgram Management Office (PKI PMO), tasked with developing the required PIV PKI\nauthentication certificate, chose to develop a new, fourth certificate to meet HSPD-12,\nFIPS 201-1, and PIV PKI authentication requirements rather than modify an existing\ncertificate.\n\nThe PKI PMO elected to develop authentication certificates using the Federal bridge\npolicy, despite the HSPD-12 requirement that became effective January 1, 2008, to use\nCommon Policy object identifiers. DoD has been lobbying since 2006 to have changes\nmade to FIPS 201-1 so that the Federal bridge policy would be adopted for DoD\xe2\x80\x99s PIV\nPKI authentication certificate, rather than working toward meeting the current\nFIPS 201-1 Common Policy requirements. The PKI PMO program manager stated that\nDoD\xe2\x80\x99s unique infrastructure is too robust to use the Common Policy object identifiers.\nDoD is not currently planning to use Common Policy object identifiers in certificates\nunless the National Institute of Standards and Technology (NIST) promulgates two\nmodifications to the Federal Common Policy object identifiers. The requested\nmodifications to the Common Policy are as follows.\n\n        \xe2\x80\xa2   Increase the frequency of issuance of the certificate revocation list\n            (CRL). DoD issues the CRL once every 24 hours from 14 certificate\n            authorities. The Common Policy\xe2\x80\x99s smaller 18-hour window will place a\n            strain on system performance, according to DoD.\n\n\n\n\n                                              6\n\x0c        \xe2\x80\xa2   Shorten the NextUpdate time in the CRL. DoD NextUpdate time is 7 days,\n            whereas the Common Policy time is no longer than 48 hours. According to\n            DoD, reduction in the number of days for the next update would cause a large\n            increase in CRL traffic and potentially consume network bandwidth well\n            above what the DoD network is meant to accommodate.\n\nDoD plans to use Common Policy object identifiers in the PIV PKI authentication\ncertificate only after FIPS 201-1 is revised to meet DoD objections, and estimates that\nimplementation will take 1 year. The petition for the two changes has been submitted to\nthe Federal PKI policy authority for approval, but no date has been established for\nconsideration of the two modifications.\n\nDoD PIV End-Point Applet\nBecause DoD has elected to maintain its current CAC infrastructure, DoD must develop a\nPIV end-point applet to achieve full interoperability with other Federal agencies for the\nDoD PIV credential, as required by HSPD-12. The PIV applet, developed by DMDC,\nwill be the intermediary that should allow readers compliant with HSPD-12 to access the\nnecessary information on the DoD credential. After the required approval of the DoD\nPIV applet by NIST, General Services Administration (GSA) testing of the PIV\ncredential with all the required components must be successfully completed before the\nDoD credential can be considered end-point-PIV-compliant.\n\nDoD Transitional Credential\nOMB granted DoD transitional status for implementation of the PIV system in June 2005.\nDoD was given until April 2010 for its PIV system to achieve full operational capability\nfor its approximately 3.5 million PIV credentials. DoD plans to issue PIV credentials to\nDoD employees and contractors as their CACs expire. DoD CACs expire 3 years after\nissuance. DoD has started issuing some DoD PIV transitional credentials as card\nissuance workstations are updated to produce the transitional credentials.\n\nNot all cardholders whose CACs expire receive the DoD transitional credential because\nnot all card issuance workstations can issue the transitional credential. Some issuance\nsites are instructed to exhaust their current stock of noncompliant cards before issuing the\nDoD PIV transitional credential.\n\nThe DoD PIV transitional credentials do not contain either the required PIV PKI\nauthentication certificate or the DoD PIV applet. According to DoD, the transitional\ncredential can be updated at some future time with an approved and tested PIV PKI\nauthentication certificate and PIV applet through downloads from the DMDC Web portal.\nDoD now projects PIV system full operational capability will occur in the summer of\n2012. Achieving full operational capability remains problematic for DoD because of\nunresolved infrastructure issues and the unavailability of updated workstations required\nto issue the DoD transitional and eventually the fully compliant end-point PIV\ncredentials.\n\n\n\n                                             7\n\x0cDMDC is responsible for updating the centrally funded Real-time Automated Personnel\nIdentification System (RAPIDS) workstations to RAPIDS version 7.2 to produce DoD\nPIV credentials for DoD installations in the continental United States by\nDecember 12, 2008. No schedule for deployment of updated RAPIDS workstations has\nbeen announced for four installations outside the continental United States, including two\nin Germany and one each in Djibouti and Greenland. No central funding is planned at\ninstallations for acquisition of equipment needed for the transition to physical access\ncontrol systems that are compliant with HSPD-12 and FIPS 201-1. Installation\ncommanders are responsible for granting access privileges and for funding to update or\nreplace physical access control systems to bring them into compliance. The Military\nServices did not provide any plans, milestones, or dedicated resources to update or\nreplace physical access control systems to comply with HSPD-12 and FIPS 201-1\nrequirements.\n\nConclusion\nInconsistent agency approaches to security of facilities and information systems are\ninefficient and costly, and they increase risk to the Federal Government. On\nAugust 27, 2004, President Bush issued a directive to Federal agencies to implement a\nGovernment-wide standard for secure and reliable forms of identification for Government\nemployees and contractors. Successful implementation was expected to increase the\nsecurity of Federal facilities and information systems. The President directed Federal\nagencies to promptly implement the mandatory, Government-wide standard for secure\nand reliable forms of identification.\n\nDoD has not met key HSPD-12 implementation milestones for completion of background\nchecks, verification of completed or initiated background checks, or Government-wide\ninteroperability. Additionally, DoD must modify its current Geneva Conventions PIV\ncredential to reduce the potential for identity fraud. Unresolved DoD CAC infrastructure\nproblems continue with no firm date for resolution. As a consequence, the intended\nbenefits of HSPD-12 to enhance security, increase Government efficiency, reduce\nidentity fraud, protect personal privacy, and reduce the potential for terrorist exploitation\nwill not begin to be fully realized by the Department until 2012 or later.\n\n\nClient Comments on the Finding and Audit Response\nPlease see Appendix C for complete client comments and audit responses on the finding.\n\n\n\n\n                                             8\n\x0cRecommendations, Client Comments, and Audit\nResponse\nA.1. We recommend that the Under Secretary of Defense for Personnel and\nReadiness:\n\n       a. Submit DoD\xe2\x80\x99s proposed personal identity verification end-point credential\nto the General Services Administration for conformance testing and approval within\n1 month of completion of Recommendation A.3.\n\nClient Comments. \xe2\x80\x9cOUSD (P&R) concurs with this recommendation. OUSD (P&R)\nwill submit its Common Access Card (CAC) Personal Identity Verification (PIV) end-\nstate credential to the General Services Administration (GSA) for conformance/\ninteroperability testing within one month of completion of recommendation A3 (expected\nby the end of 2008). OUSD (P&R) fully expects the card to pass all areas DoD has\nagreed to support in accordance with the January 2008 DoD HSPD-12 Implementation\nPlan.\xe2\x80\x9d\n\nAudit Response. Client comments are responsive.\n\n        b. Test the General Services Administration-approved personal identity\nverification credential for compatibility with DoD systems before making it\navailable to DoD employees and contractors.\n\nClient Comments. \xe2\x80\x9cOUSD (P&R) partially concurs with this recommendation. As\noutlined in the above response, DoD will conduct GSA conformance testing by the end of\ncalendar year 2008. However, OUSD (P&R) non-concurs with completing GSA testing\nbefore making the credential available to DoD employees and contractors. DoD was\napproved by OMB as a legacy card issuer and, as such, is authorized to implement\ntransitional credentials that can be updated in the future to conform to FIPS 201\nspecifications. This provides significant benefit with minimal adverse impact to the\noperational community. Additionally, DoD has an established testing process with the\nMilitary Services and DoD Components that is monitored by the DoD\xe2\x80\x99s Identity\nProtection Senior Coordinating Group (IPMSCG). Prior to being moved to our\noperational CAC inventory, all emerging CAC platforms (including DoD\xe2\x80\x99s CAC PIV\ntransitional and end-state configurations) are evaluated and approved for release by the\nIPMSCG\xe2\x80\x99s Test and Evaluation Work Group (TEWG). This group consists of\nrepresentatives from Military Service CAC-PKI labs and several DoD Components.\xe2\x80\x9d\n\nAudit Response. Client comments are not responsive. OMB Memorandum M-07-06,\n\xe2\x80\x9cValidating and Monitoring Agency Issuance of Personal Identity Verification\nCredentials,\xe2\x80\x9d January 11, 2007, requires all agencies to provide to GSA an end-point\ncredential with their agency\xe2\x80\x99s standard configuration for testing. If GSA finds\nconfiguration problems, the agencies are required to submit their standard configuration\nfor retesting once the required corrections are made. The OMB memorandum also states\n\n\n                                           9\n\x0cthat agencies should consider not issuing new credentials until all problems identified in\ntesting are resolved. A credential that has passed GSA testing may not necessarily be\ncompatible with all DoD systems. Therefore, it would be counterproductive to issue\ncredentials that impede DoD operations. OMB required all agencies to begin issuing\ncompliant credentials by October 27, 2006, either through the services of GSA and the\nDepartment of Interior or by performing this function internally. DoD\xe2\x80\x99s internal\ntransitional program is not exempt from this requirement. Transitional status does allow\nDoD additional time to obtain full operational capability because of the large volume of\ncompliant credentials to be issued. We request that the USD(P&R) reconsider his\nposition on the recommendation and provide additional comments on the final report.\n\n        c. Implement within 2 months the recommendation in DoD\xe2\x80\x99s Report to\nCongress, \xe2\x80\x9cOmission of the SSN from the Department of Defense Military\nIdentification Cards,\xe2\x80\x9d May 23, 2007, to display only the last four digits of the Social\nSecurity number on the Geneva Conventions credential, while migrating toward\ncompletely eliminating the display of the Social Security number on all\nidentification credentials.\n\nClient Comments. \xe2\x80\x9cOUSD (P&R) partially concurs with this recommendation. We note\nthat the implementation of DoD\xe2\x80\x99s Report to Congress, \xe2\x80\x98Omission of the SSN from the\nDepartment of Defense Military Identification Cards,\xe2\x80\x99 May 23, 2007 is not a requirement\nof HSPD-12, associated NIST standards, or relevant OMB HSPD-12 guidance.\n\nThe Department is executing the policy, procedural and technical steps required to\nremove the SSN from DoD ID cards. The truncation of the visible SSN on Geneva\nConventions credential to four-digits is one step in the plan recommended to Congress.\nHowever, this step will take place in a coordinated fashion as the feature is made\navailable within the issuance software (e.g., RAPIDS) and existing credentials are\nreplaced after the update is completed. We expect to begin implementing this change\nduring calendar year 2008.\xe2\x80\x9d\n\nAudit Response. Client comments are responsive. We recognize the actions set forth in\nthe Report to Congress to truncate the Social Security number on the Geneva\nConventions credential to the last four digits.\n\nA2. We recommend that the Under Secretary of Defense for Personnel and\nReadiness, in conjunction with the Under Secretary of Defense for Intelligence,\ncentrally fund the acquisition and installation of HSPD-12-compliant access control\nequipment throughout the Department and establish Component-specific milestones\nfor both acquisition and installation of the equipment.\n\nClient Comments (OUSD [P&R]). \xe2\x80\x9cOUSD (P&R) defers on a response to this\nrecommendation; the responsibility for centrally funding the acquisition and installation\nof access control equipment does not fall under the purview of OUSD (P&R).\nResponsibility for force protection and physical security standards falls under the\npurview of the Office of the Under Secretary of Defense for Intelligence (OUSD (I)).\xe2\x80\x9d\n\n\n\n                                            10\n\x0cAudit Response. The client deferred to the OUSD (I) for comments on this\nrecommendation.\n\nClient Comments (OUSD [I]). \xe2\x80\x9cOUSD (I) nonconcurs with the recommendation as\ncurrently stated. OUSD (P&R) has the responsibility for fielding a FIPS 201 compliant\nidentification credential to Federal Employees and Contractors only, which is expected to\nbe complete by the end of FY 2012. OUSD (P&R) does not have Research,\nDevelopment, Test and Evaluation (RDT&E), acquisition or oversight authority for\naccess control equipment.\n\nWe do not support a central acquisition approach for access control equipment at present,\nas we are not staffed to support oversight of an effort of this magnitude, nor is the Air\nForce, who is the lead for Research, Development, Test and Evaluation for access control\nphysical security equipment. See references DoDI [Instruction] 5143.01, Under Secretary\nof Defense for Intelligence (USD (I)), Nov 2, 2005 and DoDI 3224.3 Physical Security\nEquipment (PSE) Research, Development, Test, and Evaluation (RDT&E), Oct 1, 2007.)\n\nCentral acquisition will be problematic for all components, as there are other issues that\nwould significantly impact this approach. These issues include: Congress provided no\nfunding to implement this mandate and therefore any centralized acquisition would\nrequire reductions in other Physical Security and Department procurement requirements;\nHSPD-12 does not apply to National Security Systems and Special Risk Security\nProvisions; ability to adapt existing legacy systems to meet HSPD12; and the install of\naccess control equipment must be in concert with military design and construction\nprojects for access control points.\n\nOUSD (I) concurs that any new acquisition and installation of access control equipment\nthroughout the Department must conform to the mandates of HSPD-12 and associated\nOMB policy for interoperability. This stipulation has been included in formally staffed\ndraft policy, Directive Type Memorandum 08-004, Policy Guidance for DoD Access\nControl, which is pending USD (I) signature as of this submission.\xe2\x80\x9d\n\nAudit Response. Client comments are partially responsive. We agree with the client\nthat any new acquisition and installation of access control equipment throughout the\nDepartment must conform to the mandates of HSPD-12 and associated OMB policy for\ninteroperability. HSPD-12-compliant access control equipment will allow secure and\nrapid electronic verification of a credential holder\xe2\x80\x99s identity.\n\nElectronic authentication of identities is essential to realizing the full security benefits of\nHSPD-12 requirements. The procurement and installation of HSPD-12-compliant access\ncontrol systems is crucial to meeting this requirement. On April 9, 2008, the\ncongressional Subcommittee on Government Management, Organization, and\nProcurement held a hearing on \xe2\x80\x9cFederal Security: ID Cards and Background Checks.\xe2\x80\x9d\nHSPD-12 was the major topic of discussion.\n\n\n\n\n                                              11\n\x0cAt the hearing, the Government Accountability Office (GAO) reported that most agencies\nwere not using the electronic authentication on the PIV credentials and had not developed\nan implementation plan for these capabilities. One reason for this, according to GAO, is\nthat agencies anticipate having to make substantial financial investments to fully\nimplement HSPD-12. Committee members were greatly disturbed to learn of the practice\nof using the HSPD-12-mandated PIV credentials as flash passes. Members called the\npractice a waste of resources and asked whether additional funding is required for full\nimplementation and use of the HSPD-12 credential. The full realization of the HSPD-12\ngoal to enhance the protection of DoD installations and facilities resources should be a\nDoD priority.\n\nWe request that the USD(I) reconsider his position and provide additional comments\nregarding the most appropriate mechanism to fund acquisition and installation of the PIV-\ncompliant access control equipment throughout DoD.\n\nA.3. We recommend that the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer develop the mandatory\nPublic Key Infrastructure authentication certificate that complies with FIPS 201-1\nrequirements to use Common Policy object identifiers for cross-agency verification\nof cardholders\xe2\x80\x99 identification within 6 months.\n\nClient Comments. \xe2\x80\x9cRecommend that the DODIG remove the recommendation A.3\nfrom the final report based on the extenuating and mitigating circumstances surrounding\nthis FIPS 201 requirement. DoD PKI PMO has endeavored, in good faith, to comply with\nall FIPS 201 requirements. Current plans, as stated in the January 2008 update to the\nDoD HSPD-12 Implementation Plan [JANDODPLAN], indicate that the PIV_Auth\ncertificate will be instantiated on the DoD PIV credential as soon as technically possible.\nLack of compliance with the Common Policy OIDs [object identifiers] does not affect the\ninteroperable use (cross-agency verification of cardholder\xe2\x80\x99s identity) of the CAC with\neither DoD or other Federal Agency physical or logical systems.\n\nComment: Disagree with this recommendation A.3. The recommendation does not\nrecognize or consider the extensive mitigating or extenuating circumstances explained in\nthe January 2008 update to DoD HSPD-12 Implementation Plan [JANDODPLAN] nor\ndoes it show consideration of the reported work accomplished by the DoD PKI PMO to\ncomply with the FIPS 201 requirement for instantiation of a PIV Authentication\ncertificate (PIV_AUTH). The DoD PKI PMO has planned for the deployment and is\ntesting the issuance of a PIV_AUTH certificate and has estimated beginning the issuance\nof this certificate on the DoD PIV credential in 3QFY08 [JANDODPLAN]. Those plans\nare aligned with but contingent on fielding of another version of the RAPIDS issuance\nsoftware. The DODIG recommendation does not consider the lack of adequate memory\navailable on the current CAC crypto module, the availability of the cryptomodules with\nthe necessary storage capacity, necessity for performance testing on issuance and use or\nexamination of the operational impacts of using RSA [Rivest, Shamir, and Adleman]\n2048 end entity certificates. The DODIG recommendation does not consider that the\nDoD PKI PMO has reported, for several years, to OMB and the Federal PKI Policy\n\n\n\n                                            12\n\x0cAuthority (FPKI PA), the risks of changing DoD PKI CA operations to conform to the\nspecified Federal Common Policy requirements. DoD PKI PMO has been endeavoring to\nwork with the FPKI PA to make mutually acceptable changes to the Federal Common\nPolicy Certificate Policy (CP). The DODIG recommendation does not recognize or\nconsider in extenuation that the DoD PKI PMO has been very proactive about informing\nthe FPKI PA and NIST about the operational challenges full compliance with FIPS 201\nrepresents to DoD.\xe2\x80\x9d\n\nAudit Response. Client comments are not responsive. We recognize there are\ncomplexities involved in fielding the FIPS 201-1-compliant credential. Although the\nclient states that the current CAC does not accommodate the memory available on the\ncurrent CAC crypto module, there are cards available that will accommodate memory\nrequirements. Further, NIST officials have stated that for interoperability it is important\nthat the PIV Authentication Key asserts the PKI Common Policy object identifiers. We\nrequest that the ASD(NII)/CIO provide additional comments on how he will meet FIPS\n201-1 requirements.\n\n\n\n\n                                             13\n\x0c14\n\x0cB. Issuance of Implementation Guidance\nDoD Components are attempting to address security and personnel identification\nconcerns in an ad hoc manner. Formulation and issuance of HSPD-12 implementation\nguidance were not priorities for DoD because senior management chose to establish and\nimplement less stringent access control requirements rather than HSPD-12 PIV-I\nstandards. DoD will not realize increased security and efficiencies until DoD\nComponents are provided with comprehensive HSPD-12 implementation guidance\nmandating the issuance of secure and reliable credentials and the use of updated,\ncompliant access control systems at DoD installations.\n\nDoD Component Implementation Efforts\nHSPD-12 requires that access to Federal facilities or information systems be granted to\nFederal employees and contractors based on secure and reliable forms of identification\nthat meet the Federal standard established by the Secretary of Commerce. FIPS 201-1\ncontains the minimum standards that agencies are to implement to comply with HSPD-12\nrequirements. DoD has not issued comprehensive implementation guidance that\nincorporates the minimum standards, leaving DoD Components without specific\nguidance to address HSPD-12 requirements for security and personnel identification.\n\nWithout official guidance, Components have improvised. For instance, background\nchecks vary by Component; Components have purchased noncompliant HSPD-12\nequipment; a DoD installation has issued a photoless identification credential; and\nComponents have been authorized to issue Defense Biometric Identification System\n(DBIDS) credentials instead of PIV credentials.\n\nBackground Checks\nDoD Components have not met NACI background check requirements. Because of the\nlarge number of Army personnel requiring NACIs and the associated cost, the Army is\nconsidering requesting a waiver of the immediate HSPD-12 mandated NACI background\nchecks until the members\xe2\x80\x99 current CAC cards expire or individual are due for periodic\nreinvestigations. USD(P&R) issued a memo on March 9, 2007, expanding CAC\neligibility to include foreign national partners who have been properly vetted and who\nrequire access to DoD facilities or information systems. This memo establishes the\nvetting requirement when an international security agreement is in place. However, the\nguidance does not address a vetting process for foreign nationals requiring a CAC for\naccess to DoD installations and information systems in countries where no international\nsecurity agreement has been established, such as Afghanistan and Iraq. One Air Force\nbase does not require contractors that have only physical access to the installation to\nreceive background checks unless the contractors are first line supervisors. One Defense\nagency required contractors receiving a CAC to undergo only a NAC. During our\nreview, a Defense Agency Chief of Personnel Security issued an agency-wide e-mail on\n\n\n\n                                           15\n\x0cJune 19, 2007, requiring contractors receiving a CAC to undergo a NACI background\ncheck.\n\nEquipment Purchases\nOne Army installation purchased several card readers without ensuring they complied\nwith HSPD-12. An Air Force installation was in the process of purchasing equipment\nthat was not on the GSA Approved Products List as required by OMB; however, when\nmade aware of this, officials at the Air Force installation stopped procurement to ensure\nthey purchased only products that were on the GSA Approved Products List.\n\nPhotoless Identification\nOn February 4, 1999, the Commanding Officer at the Naval Support Station (now Naval\nSupport Activity) in Philadelphia, Pennsylvania, issued a waiver for a photo\nidentification badge to a Defense Logistics Agency (DLA) employee working at Defense\nSupply Center-Philadelphia (DSCP) who objected for religious reasons to having his\nphotograph taken and displayed on the identification badge. Guidance is required on\nevaluating the legitimacy of requests that deviate from established access control policy.\n\nDBIDS Credentials\nDoD has authorized Components to issue a DBIDS card to employees and contractors\nwho require only routine (180 days or greater) physical access. This practice deviates\nfrom HSPD-12.\n\nDoD HSPD-12 Policy and Guidance\nFormulation and issuance of HSPD-12 implementation guidance were not priorities for\nDoD senior management. DoD Components\xe2\x80\x99 problems with implementation can be\nattributed to the lack of comprehensive guidance. After issuing proposed HSPD-12\nimplementation policy for coordination in April 2006 and not reaching consensus among\nDoD Components, DoD established a working group to develop comprehensive guidance\nfor implementation of HSPD-12, but the group has made only limited progress.\nMeanwhile, DoD senior management chose to establish and implement less stringent\naccess control requirements rather than those established by HSPD-12.\n\nFormulation of Policy\nOn April 24, 2006, the Defense Human Resource Agency (DHRA) sent out a request for\ncoordination on proposed HSPD-12 implementation policy. DHRA, the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief Information\nOfficer (ASD [NII]/CIO), the Under Secretary of Defense for Acquisition, Technology,\nand Logistics (USD [AT&L]), DMDC, and USD(I) could not agree on the proposed\nHSPD-12 implementation policy. As a result, implementation languished until\nAugust 27, 2007, when the USD(I) Physical Security Directorate requested an HSPD-12\nStrategy Working Group meeting with DHRA, ASD (NII/CIO), USD (AT&L), and\nDMDC group members to complete implementation guidance. As of March 2008, DoD\nhad not issued DoD HSPD-12 implementation guidance other than updates to DoD\nRegulation 5200.08-R for physical access security.\n\n\n                                            16\n\x0cIssuance of Guidance\nDoD Regulation 5200.08-R does not address specific background check requirements or\nequipment purchases from the GSA Approved Products List. Furthermore, it is\ninconsistent with HSPD-12 because it allows DBIDS and other forms of identification\nthat are not compliant with FIPS 201-1.\n\nNACI Requirement\nDoD Regulation 5200.08-R states that \xe2\x80\x9cA National Agency Check with Inquiries or\nequivalent national security clearance National Agency Check with Local Agency\nChecks including Credit Check is required for permanent issuance of the credential.\xe2\x80\x9d\nThis statement leaves open such questions as which DoD entity should pay for the\nbackground checks for contractors and what kind of background check is required for\nforeign nationals.\n\nApproved Products List\nTo ensure Government-wide interoperability, DoD must acquire products and services\nthat are compliant with FIPS 201-1 and included on the GSA Approved Products List as\nrequired by OMB. In some instances, DoD Components have acquired products that are\nnot on the GSA Approved Products List. DoD has not issued any guidance to the\nComponents requiring use of the Approved Products List.\n\nDBIDS Credential and Physical Access Control Systems\nOMB instructed agencies to be careful not to develop policies that contradict HSPD-12\nstandards for identity proofing and issuance of credentials. HSPD-12 standards mandate\nthat all Federal employees and contractors requiring routine access for 180 days or longer\nreceive a PIV-compliant credential and undergo a NACI or equivalent background check.\nDoD Regulation 5200.08-R authorizes personnel requiring only routine physical access\nto receive a DBIDS credential and undergo the less rigorous NAC. Granting routine\naccess to DoD installations to personnel who have only a NAC background check does\nnot fully comply with the HSPD-12 policy objective to enhance security and protect\nphysical and human capital assets on DoD installations.\n\nAccording to DoD Directive 1000.25, DBIDS is a fully configurable force protection\nsystem and serves as a physical access control and critical property registration system.\nYet the system does not meet the minimum standards of FIPS 201-1 to verify the claimed\nidentity of individuals seeking physical access to Federal Government facilities. DoD\nComponents are required to purchase and maintain this physical access control system\nthrough DMDC. However, DBIDS uses card readers and scanners that are not on the\nGSA Approved Products List as required by OMB.\n\nNeither the DBIDS system nor the card is configured to operate with HSPD-12 security\nfeatures such as PKI certificates, the Card Holder Unique Identifier, and biometrics\nembedded in the integrated circuit chip of the credential. Further, the use of barcode\ntechnology on the DBIDS credential does not enhance security because the barcode, a\nstatic physical card feature, cannot deter fraud, prevent counterfeiting, or protect personal\nprivacy. According to comments from the Smart Card Alliance on a report by the\n\n\n                                             17\n\x0cDepartment of Homeland Security, DHS-2006-0030, May 7, 2007, barcode technology is\nnot secure and not adequate to meet Federal security and privacy requirements. DBIDS\ndoes not meet the FIPS 201-1 minimum standards to enhance security, increase\nGovernment efficiency, and protect personal privacy.\n\nOf the 16 installations we visited in the continental United States, 6 formerly used or\ncontinued to use DBIDS as their physical access control system for individuals requiring\nonly physical access. Four of the six installations used barcode technology, without\nbiometrics, to authenticate the identity of the credential holder before granting access to\nthe installation. The fifth, an Army installation, discontinued the use of DBIDS because\nthe maintenance of the system was too expensive and the system did not perform as\nrequired. The sixth, an Army installation, used the DBIDS access control system but not\nthe DBIDS card, which is not compliant with HSPD-12 standards.\n\nAdditionally, officials at one of the four installations, a Navy installation, stated that their\nDBIDS equipment is deteriorating and that they did not have the funds to maintain it.\nInstead of scanning the DBIDS credential, they use it as a flash pass.\n\nPhoto Identification Requirements\nFIPS 201-1 requires that PIV credentials be issued only to individuals whose identity has\nbeen verified and whose background investigation is either on record or initiated.\nIdentity verification for the PIV credential requires two forms of identity, including at\nleast one valid State or Federal Government picture identification. The PIV credential\nrequires a photograph showing the full frontal pose from top of the head to shoulder and\nplaced in the upper left corner of the credential. Waivers to FIPS 201-1 are not allowed.\n\nOn February 4, 1999, the Commanding Officer at the Naval Support Station (now Naval\nSupport Activity) in Philadelphia, Pennsylvania, issued a waiver to permit a photoless\nidentification badge for a DLA employee working at DSCP who objected for religious\nreasons to having his photograph taken and displayed on the identification badge. In\nJune 2005, the Naval Support Activity, Philadelphia reissued the DSCP employee a\nphotoless Navy identification badge that did not comply with existing Naval Support\nActivity Instruction 5530.1. In 2006 DLA, without proper approval, provided the DSCP\nemployee with an alternate method to access DoD networks and information systems,\nviolating DoD and DLA policy. DLA revised its certificate practices policy to allow an\nindividual without photo identification to access DoD networks in February 2008. DoD\nhas not confiscated the photoless identification because of concerns about litigation under\nthe Religious Freedoms Restoration Act. We discovered that the DSCP employee with\nthe photoless identification used different Social Security numbers for a background\ninvestigation and logical access to DoD information systems. Therefore, we made a\nreferral for investigation.\n\nDoD has not approved guidance that prohibits issuance of photoless identification\ncredentials, nor has DoD established a process to evaluate waiver requests. The issuance\nof a photoless identification card establishes a precedent that is contrary to the goal of\n\n\n\n                                              18\n\x0cHSPD-12 to enhance security and could expose DoD installations and information\nsystems to unauthorized access and potential terrorist exploitation.\n\nConclusion\nThe elimination of multiple forms of identification used to gain access to Federal\nfacilities where there is potential for terrorist attacks is central to Federal Homeland\nSecurity policy to promptly field a secure and reliable Government-wide identification\ncredential. The identification credential will allow security personnel and information\nsystems to authenticate the identities of Federal Government employees and contractors\nbefore authorizing physical or logical access to Federal installations and information\nsystems. DoD has not issued the necessary guidance to DoD Components to ensure that\nthey are implementing the requirements of HSPD-12, which are designed to increase\nsecurity for DoD installations and information systems, protect the privacy of DoD\nemployees and contractors, and promote Government efficiency.\n\n\n\n\n                                           19\n\x0cRecommendations, Client Comments, and Audit\nResponse\nRecommendations B.1. and B.2.a. have been revised in response to management\ncomments and to clarify the intent of the recommendations.\n\nB.1. We recommend that the Under Secretary of Defense for Personnel and\nReadiness develop and issue within 3 months a Deputy Secretary of Defense\nDirective to achieve full Department of Defense compliance with the requirements\nof Homeland Security Presidential Directive-12. The Directive should assign clear\nresponsibility for compliance with each aspect of HSPD-12 and specify milestones\nfor achieving compliance.\n\nClient Comments. \xe2\x80\x9cOUSD (P&R) concurs with this recommendation. DoD is working\nfrom the January 2008 DoD HSPD-12 Implementation Plan which outlines the\nDepartment\xe2\x80\x99s milestones for meeting those Federal conformance and interoperability\ncapabilities we have agreed to support. However, OUSD (P&R) recognizes the need to\ncoordinate additional milestones for areas that fall under the purview of other OSD PSAs\n(i.e., personnel security / background vetting). OUSD P&R will work with these\norganizations within the next three months to identify milestones that can be incorporated\ninto the DoD HSPD-12 Implementation Plan.\xe2\x80\x9d\n\nAudit Response. Client comments are not responsive. The intent of the original\nrecommendation, as recognized by the client response, was that comprehensive DoD\nguidance be issued establishing clear areas of responsibility and milestones for\nimplementation of HSPD-12. We request that the OUSD (P&R) respond to the revised\nrecommendation, providing an anticipated completion date for corrective action.\n\nB.2. We recommend that, within 3 months, the Under Secretary of Defense for\nPersonnel and Readiness and the Under Secretary of Defense for Intelligence:\n\n       a. Revise DoD Directive 1000.25, \xe2\x80\x9cDoD Personnel Identity Protection (PIP)\nProgram,\xe2\x80\x9d DoD Instruction 5200.08, \xe2\x80\x9cSecurity of DoD Installations and Resources,\xe2\x80\x9d\nDoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d and other DoD issuances\nas necessary to appropriately reflect responsibility for incorporating FIPS 201-1\nminimum requirements in all DoD electronic access control systems.\n\nClient Comments (OUSD [P&R]). \xe2\x80\x9cOUSD (P&R) defers on a response to this\nrecommendation; the responsibility for incorporating the minimum requirements for\nelectronic access control systems does not fall under the purview of OUSD (P&R).\nOUSD (I) is the DoD lead for Physical Security to include the standards for access\ncontrol. OUSD (P&R) will cooperate fully to support OUSD (I) with the development of\nthese requirements and recommends that any subsequent guidance be incorporated within\nforce protection or physical security publications or issuances such as the DoD\nRegulation 5200.8R issued by OUSD (I).\xe2\x80\x9d\n\n\n                                           20\n\x0cAudit Response. The intent of the original recommendation was that DoD electronic\naccess control systems used to identify personnel requiring routine access to DoD\ninstallations be compliant with FIPS 201-1 minimum requirements. USD(P&R) is the\nstaff proponent for DoD Directive 1000.25, and USD(I) is the staff proponent for DoD\nInstruction 5200.08 and DoD Regulation 5200.08-R. We request that the OUSD(P&R)\nrespond to the revised recommendation, providing an anticipated completion date for\ncorrective action.\n\nClient Comments (OUSD [I]). \xe2\x80\x9cOUSD (I) nonconcurs. P&R is not the Principal Staff\nAssistant for Security, Access Control or Physical Security Equipment, which includes\nelectronic access control systems. DoDD 1000.25 must be revised to delete all references\nto same. DoDI 5200.8 and DoDD 5200.8R will be revised to require all electronic access\ncontrol systems to meet HSPD 12 and OMB guidance. OUSD(I) will coordinate with\nOSD (AT&L) to exercise RDT&E of all procurements for electronic access control\nsystems in coordination with the Components physical security representatives and\nelectronic systems engineers. OUSD(I) will maintain oversight in accordance with DoD\nInstruction 5143.01.\xe2\x80\x9d\n\nAudit Response. Client comments are not responsive. The intent of the original\nrecommendation was that DoD electronic access control systems used to identify\npersonnel requiring routine access to DoD installations be compliant with FIPS 201-1\nminimum requirements. USD(P&R) is the staff proponent for DoD Directive 1000.25,\nand USD(I) is the staff proponent for DoD Instruction 5200.08 and DoD\nRegulation 5200.08-R. We request that the USD(I) respond to the revised\nrecommendation, providing an anticipated completion date for corrective action.\n\n       b. Develop minimum background check requirements for vetting foreign\nnationals in countries where no international security agreement exists, such as Iraq\nand Afghanistan.\n\nClient Comments (OUSD [P&R]). \xe2\x80\x9cOUSD (P&R) defers on a response to this\nrecommendation; the responsibility for personnel security standards does not fall under\nthe purview of OUSD (P&R). OUSD (I) is the DoD lead for Personnel Security to\ninclude the standards for equivalent HSPD-12 vetting for Foreign Nationals. OUSD\n(P&R) will fully cooperate with OUSD (I) on incorporating identified requirements into\nthe card issuance process and associated guidance.\xe2\x80\x9d\n\nAudit Response. The client deferred to the OUSD (I) for comments on this\nrecommendation.\n\nClient Comments (OUSD [I]). \xe2\x80\x9cOUSD (I) concurs. The Department (CI&S), in\nconjunction with the Federal Interagency Working Group and with USD (Policy), ASD\n(International Security Affairs) is working to define an acceptable vetting process for\nforeign nationals requiring a CAC or physical access only badge in countries where no\ninternational security agreement has been established.\xe2\x80\x9d\n\n\n\n\n                                           21\n\x0cAudit Response. Client comments are responsive.\n\nB.3. We recommend that the Under Secretary of Defense for Intelligence:\n\n       a. Revise DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d April 9,\n2007, within 3 months to:\n\n              (1) Require all contractors and Federal employees requiring routine\nphysical access to a DoD installation to undergo a NACI background investigation\nand receive a DoD PIV credential.\n\nClient Comments. \xe2\x80\x9cOUSD(I) concurs.\xe2\x80\x9d\n\nAudit Response. Client comments are partially responsive. The Director did not\nindicate what actions he has taken or will take to accomplish the recommendation or\ninclude the anticipated completion date for corrective action. We request that the USD(I)\nprovide additional comments on actions taken.\n\n              (2) Expressly prohibit the issuance of photoless identification\ncredentials used to gain access to DoD installations and facilities, or establish a\nformal process to waive requirements for a photo on the credential.\n\nClient Comments. \xe2\x80\x9cOUSD (I) concurs in part. OSD (P&R) is the proponent for CAC\nand Identification Card issuance. OUSD (I) is the proponent for physical access only\ncredentials and will issue guidance to incorporate requirements mandated by Section\n1069 of the 2008 National Defense Authorization Act. OUSD (I) will incorporate in\npolicy procedures that \xe2\x80\x9cunescorted\xe2\x80\x9d access will not be granted for persons who do not\npresent a photo identification credential. The federally compliant PIV credential and any\nphysical access only credential will be required to be displayed as a visual access badge.\nReasonable accommodation may be made for persons without photo identification, which\nwill include \xe2\x80\x9cescorted\xe2\x80\x9d access, if an escort is available.\xe2\x80\x9d\n\nAudit Response. Client comments are partially responsive. USD(I) did not specify the\nformal process to be established to waive requirements for a photo on the credential. We\nrequest that the USD(I) provide additional comments, including an anticipated\ncompletion date for corrective action.\n\n              (3) Delete paragraph C3.3.2 in its entirety and delete the reference to\nthe Defense Biometric Identification System credential in paragraph C3.3.3 of the\nInstallation Access section.\n\n\n\n\n                                           22\n\x0cClient Comments. \xe2\x80\x9cOUSD (I) concurs. OUSD (I) has incorporated this stipulation in\nformally staffed draft policy, Directive Type Memorandum 08-004, Policy Guidance for\nDoD Access Control, which is pending USD (I) signature as of this submission and has\nadded language that all upgrades or procurement of access control systems be FIPS 201\ncompliant.\xe2\x80\x9d\n\nAudit Response. Client comments are responsive.\n\nClient Comments (ASD[NII]/CIO). Although not required to comment, the Deputy\nAssistant Secretary of Defense for Information and Identity Assurance replied for the\nASD(NII)/CIO. He stated: \xe2\x80\x9cIt is documented that the Defense Biometric Identification\nSystem (DBIDS) was originally developed to meet a specific physical access credential\nrequirement in EUCOM and PACOM prior to the issuance of HSPD-12. The vetting\nrequirements included in the original DBIDS credential issuance process were\nspecifically suited for populations of people that were not going to be eligible for a PIV-\ncompliant credential. The DBIDS credential provided overseas commanders with a\nphysical access only credential that raised the level of protection afforded to physical\nfacilities while complying with best practices for electronically authenticated credential\nuse. No where in the text of this report is it acknowledged that the HSPD-12 mandate\nand FIPS 201 identity credential standard does not apply to populations of personnel,\nother than employees or contractors, that have a legitimate requirement to access Federal\ninstallations or facilities on a routine or intermittent basis. DBIDS can meet the security,\nvetting, revocation and tracking requirements for populations such as volunteers,\nmaintenance and supply vendors, unpaid interns, employees of non-military consessions\nand businesses operating within installations or facilities. Recommend removing\nRecommendation B.3.a.(3) from the report.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. USD(I) has responsibility for DoD physical access control policy and\nhas stated that DoD Regulation 5200.08-R will be revised to remove paragraph C3.3.2 in\nits entirety.\n\n       b. Suspend use of the Defense Biometric Identification System and any other\nalternative credentials not explicitly approved by the Under Secretary of Defense\nfor Intelligence for physical access to DoD installations and facilities.\n\nClient Comments (OUSD [I]). \xe2\x80\x9cOUSD (I) concurs in part. OUSD (I) will not suspend\nuse of existing legacy access control systems, which includes DBIDS until such time as\nwe have identified, tested and certified a replacement or upgrade that meets FIPS 201,\nSecurity Equipment Integration and network security requirements. Suspending use of\nexisting legacy access control systems, whether FIPS compliant or not, would degrade\nthe only security mitigators we have in place at the present time. The Directive Type\nMemorandum 08-004, Policy Guidance for DoD Access Control will require Heads of\nDoD components when purchasing upgrades to existing access control systems or when\nreplacing current systems, the upgraded system must meet FIPS 201 (including ISO\n[International Organization of Standardization] 14443 contactless technology and ability\n\n\n\n                                             23\n\x0cto perform automated personal identity verification); include an emergency power source;\nand have the ability to provide rapid electronic authentication to Federal and DoD\nauthoritative databases, including DoD personnel registered in the Defense Enrollment\nand Eligibility Reporting System. This change in policy will prohibit the procurement of\nnon FIPS 201 compliant systems.\xe2\x80\x9d\n\nAudit Response. Client comments are responsive.\n\nClient Comments (OUSD [P&R]). Although not required to comment on this\nrecommendation, the USD(P&R) provided these comments. \xe2\x80\x9cOUSD (P&R) non-concurs\nwith the recommendation to suspend the use of the Defense Biometric Identification\nSystem (DBIDS). This access control system is installed throughout Europe, Korea,\nJapan, Guam, the AOR [area of responsibility] (except Iraq and Afghanistan) and some\nlocations in CONUS [the continental United States], for a total of 157 bases. The use of\nthis system has substantially increased security at each of the bases where it is used\ncompared to the historical use of \xe2\x80\x9cflash and pass\xe2\x80\x9d processes. To suspend usage of this\nsystem would significantly degrade security at each of these bases where it is currently\noperating or defer improvement in security at those bases where DBIDS implementations\nare planned. OUSD (P&R) would concur with a recommendation that DBIDS migrate to\nmeet the policy published by OUSD (I).\xe2\x80\x9d\n\nAudit Response. USD(I) has responsibility for DoD physical access control policy and\nhas stated that his office will not suspend use of legacy access control systems including\nDBIDS. The USD(I) will require heads of DoD Components to meet FIPS 201-1\nrequirements when updating or replacing existing access control systems.\n\n\n\n\n                                            24\n\x0cAppendix A. Scope and Methodology\nWe performed this audit from March 2007 through February 2008 in accordance with\ngenerally accepted government auditing standards. The standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. The evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nWe evaluated the implementation of HSPD-12; Federal Information Processing\nStandards Publication 201-1; OMB Memorandums M-05-24 and M-07-06, National\nInstitute of Standards and Technology Special Publications 800-73-1, 800-85A and B,\nand 800-79; and DoD Regulation 5200.08-R. We interviewed personnel and obtained\ninformation from staff at DMDC, Defense Human Resources Activity, Pentagon Force\nProtection Agency, Public Key Infrastructure Program Management Office, Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief Information\nOfficer; Under Secretary of Defense for Acquisition, Technology, and Logistics, Under\nSecretary of Defense for Intelligence, General Services Administration, and RAPIDS\nworkstations site security managers, physical security officials, and human resources\npersonnel with the Departments of the Army, Navy, Air Force, Marine Corps, Coast\nGuard, and the Defense Logistics Agency.\n\nWe visited the DMDC West facility to determine the stage of HSPD-12 compliance and\nto review CAC testing, issuance, and infrastructure. We judgmentally selected several\nmilitary and Coast Guard installations with CAC issuance facilities to determine\nHSPD-12 compliance at the installation level.\n\n   \xe2\x80\xa2   Camp Parks, San Francisco, California\n   \xe2\x80\xa2   Fort Hunter Liggett, Monterey, California\n   \xe2\x80\xa2   Moffett Field, Mountain View, California\n   \xe2\x80\xa2   Presidio of Monterey, Monterey, California\n   \xe2\x80\xa2   Naval Postgraduate School, Monterey, California\n   \xe2\x80\xa2   Navy Yard, Washington Navy Yard, Washington, D.C.\n   \xe2\x80\xa2   Customer Service Desk, Monterey, California\n   \xe2\x80\xa2   Travis Air Force Base, San Francisco, California\n   \xe2\x80\xa2   Andrews Air Force Base, Maryland\n   \xe2\x80\xa2   Onizuka Air Force Base, Sunnyvale, California\n   \xe2\x80\xa2   Marine Corps Base Quantico, Quantico, Virginia\n   \xe2\x80\xa2   Alameda Coast Guard Support Center, Alameda, California\n   \xe2\x80\xa2   Petaluma Coast Guard Training Center, Petaluma, California\n   \xe2\x80\xa2   Defense Logistics Agency, Fort Belvoir Army Base, Fort Belvoir, Virginia\n   \xe2\x80\xa2   Defense Logistics Agency, Defense Supply Center, Naval Support Activity,\n       Philadelphia, Pennsylvania\n\n\n                                           25\n\x0cThese installations were selected because of their close proximity to DMDC West or the\nNational Capital Region, their participation in beta testing the RAPIDS 7.2 software, and\nthe variety of services they provide. We visited the Defense Supply Center-Philadelphia\nand Defense Logistics Agency because we received a referral from the Defense Criminal\nInvestigative Service, Philadelphia regarding a photoless identification cardholder at the\nDefense Supply Center-Philadelphia. At all locations, we observed the CAC issuance\nprocess, inquired about physical security measures for the base as well as securing the\ninventory of CAC card stock, asked about training requirements for staff involved in\nCAC card issuance and inquired about the human resources process pertaining to\nbackground checks.\n\nUse of Computer-Processed Data\nWe did not use computer-processed data to perform this audit.\n\nUse of Technical Assistance\nMembers of the Technical Assessment Directorate assisted the auditors in understanding\ntechnical aspects of the audit. Mr. Jaime Bobbio, electronics engineer, and Mr. Minh\nTran, computer engineer, helped in the review of technical guidance, tests of technology\non cards, and the understanding of how the next-generation CAC will work.\n\nPrior Coverage\nDuring the last 5 years, the Government Accountability Office (GAO) has issued two\nreports discussing Federal Employee Identification Standards. Unrestricted GAO reports\ncan be accessed over the Internet at http://www.gao.gov.\n\nGAO\nGAO Report No. 08-120SU, \xe2\x80\x9cMilitary Bases, High-level Access Control Guidance Is\nConsistent, but Flexible For Local Circumstances and Evolving to Standardize Access\nControl,\xe2\x80\x9d October 2007.\n\nGAO Report No. 06-178, \xe2\x80\x9cElectronic Government: Agencies Face Challenges in\nImplementing New Federal Employee Identification Standard,\xe2\x80\x9d February 2006.\n\n\n\n\n                                            26\n\x0cAppendix B. Guidance on Identification and\n   Access Control\nPublic Law\nPublic Law 109-364, \xe2\x80\x9cJohn Warner National Defense Authorization Act for Fiscal Year\n2007, Section 585,\xe2\x80\x9d October 17, 2006, requires that no later than 180 days after the\nenactment of this Act, the Secretary of Defense shall submit to Congress an assessment\nof the feasibility of utilizing military identification cards that do not contain, display, or\nexhibit the Social Security number of the individual identified by a military identification\ncard.\n\nThe Privacy Act of 1974 was created in response to concerns about how the creation and\nuse of computerized databases might affect individuals\xe2\x80\x99 privacy rights. It safeguards\nprivacy by creating four procedural and substantive rights regarding personal data. First,\nit requires government agencies to show an individual any records kept on him or her.\nSecond, it requires agencies to follow certain principles, called \xe2\x80\x9cfair information\npractices,\xe2\x80\x9d when gathering and handling personal data. Third, it restricts how agencies\ncan share an individual\xe2\x80\x99s data with other people and agencies. Fourth and finally, it\npermits individuals to sue the Government for violating Privacy Act provisions.\n\nCongressional Language\nH.R. REP. NO. 109-452, 109th Cong., 2nd Sess. (May 5, 2006), \xe2\x80\x9cNational Defense\nAuthorization Act for Fiscal Year 2007 Report of the Committee on Armed Services\nHouse of Representative on H.R. 5122 together with Additional and Dissenting Views,\xe2\x80\x9d\ndirected the Secretary of Defense to study the feasibility of developing an alternative\nprocess that would allow service members to immediately request that their military\nidentification cards not include their Social Security number.\n\nPresidential Directive\nHomeland Security Presidential Directive-12, \xe2\x80\x9cPolicy for a Common Identification\nStandard for Federal Employees and Contractors,\xe2\x80\x9d August 27, 2004, states that wide\nvariations in the quality and security of forms of identification used to gain access to\nsecure Federal and other facilities where there is potential for terrorist attacks need to be\neliminated. Therefore, the President stated that it is the policy of the United States to\nenhance security, increase Government efficiency, reduce identity fraud, and protect\npersonal privacy by establishing a mandatory, Government wide standard for secure and\nreliable forms of identification issued by the Federal Government to its employees and\ncontractors. To implement the policy, the Secretary of Commerce shall promulgate a\nFederal standard for secure and reliable forms of identification no later than 6 months\nafter the date of HSPD-12 in consultation with the Secretaries of State, Defense and\nHomeland Security; the Attorney General; the Director of the Office of Management and\nBudget, and the Director of the Office of Science and Technology Policy. For purposes\nof this directive, secure and reliable forms of identification are issued based on sound\n\n\n                                             27\n\x0ccriteria for verifying an individual employee\xe2\x80\x99s identity; strongly resistant to identity\nfraud, tampering, counterfeiting, and terrorist exploitation, can be rapidly authenticated\nelectronically, and is issued only by providers whose reliability has been established. In\naddition, no later than 4 months following promulgation of the standard, the heads of\nexecutive departments and agencies shall have a program in place to ensure the\nidentification issued by their departments and agencies to Federal employees and\ncontractors meets the standard. Additionally, the heads of executive departments and\nagencies shall require the use of identification by Federal employees and contractors that\nmeets the standard in gaining physical access to Federally-controlled facilities and logical\naccess to Federally-controlled information systems.\n\nOMB Memoranda\nOMB M-07-16, \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally\nIdentifiable Information,\xe2\x80\x9d May 22, 2007, requires agencies to eliminate the unnecessary\nuse of the Social Security number. Agencies must now also review their use of the Social\nSecurity number in agency systems and programs to identify instances in which\ncollection or use of the Social Security number is superfluous. The memo indicates that,\nwithin 120 days of the date of the memo, agencies must establish a plan to eliminate the\nunnecessary collection and use of the Social Security number within 18 months.\n\nOMB M-07-06, \xe2\x80\x9cValidating and Monitoring Agency Issuance of Personal Verification\nCredentials,\xe2\x80\x9d January 11, 2007, discusses validating and monitoring agency issuance of\nPIV-compliant identity credentials in support of HSPD-12. Additionally, OMB M-07-06\ndirected all agencies to provide GSA a credential with their agency\xe2\x80\x99s standard\nconfiguration by January 19, 2007.\n\nOMB M-06-18, \xe2\x80\x9cAcquisition of Products and Services for Implementation of HSPD-12,\xe2\x80\x9d\nJune 30, 2006, provides updated direction for the acquisition of products and services for\nthe implementation of HSPD-12 and the status of implementation efforts.\n\nOMB M-05-24, \xe2\x80\x9cImplementation of Homeland Security Presidential Directive-12 Policy\nfor a Common Identification Standard for Federal Employees and Contractors,\xe2\x80\x9d\nAugust 5, 2005, requires development and agency implementation of a mandatory,\nGovernment-wide standard for secure and reliable forms of identification for Federal\nemployees and contractors. It also establishes timelines and milestones for FIPS 201-1\ncompliance.\n\nNIST Directives and Special Publications\nFederal Information Processing Standards Publication 201 (FIPS 201), \xe2\x80\x9cPersonal Identity\nVerification (PIV) of Federal Employees and Contractors,\xe2\x80\x9d February 25, 2005, provides\nstandards for the identity verification, issuance, and use of the common identity standard.\nIt contains two major sections. Part One describes the minimum requirements for a\nFederal personal identity verification system that meets the control and security\nobjectives of HSPD-12, including personal identity proofing, registration, and issuance.\nPart Two provides detailed specifications that will support technical interoperability of\nPIV systems of Federal departments and agencies. It describes the card elements, system\n\n\n                                            28\n\x0cinterfaces, and security controls required to securely store, process, and retrieve personal\nidentity information from the card. The physical card characteristics, storage media, and\ndata elements that make up identity credentials are specified in this standard.\n\nFIPS PUB 201-1, Change Notice-1 (FIPS 201-1) \xe2\x80\x9cPersonal Identity Verification of\nFederal Employees and Contractors,\xe2\x80\x9d March 2006, updates the requirements established\nby FIPS 201. Specifically, it makes changes to the graphics on the back of the PIV card\nand the Abstract Syntax Notation One encoding of the NACI indicator.\n\nNational Institute of Standards and Technology (NIST) Special Publication (SP)\n800-85B, \xe2\x80\x9cPIV Data Model Test Guidelines,\xe2\x80\x9d July 2006, provides technical guidance on\nthe methodology to be used during testing applicable components and specifies the\nderived test requirements, detailed test assertions, and conformance tests for testing the\ndata elements of the PIV system.\n\nNIST SP 800-85A, \xe2\x80\x9cPIV Card Application and Middleware Interface Test Guidelines,\xe2\x80\x9d\nApril 2006, provides test requirements and test assertions that could be used to validate\nthe compliance/conformance of two PIV components\xe2\x80\x94PIV middleware and PIV card\napplication to specifications in NIST SP 800-73.\n\nNIST SP 800-73-1, \xe2\x80\x9cInterfaces for Personal Identity Verification,\xe2\x80\x9d March 2006, contains\ntechnical specifications for the smart card, the interface, the manner in which data on the\ncredential are protected, and the format in which the data are to be retrieved. These\nspecifications reflect the design goals of interoperability and PIV card functions.\n\nDoD Regulation\nDoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d April 9, 2007, issued under the\nauthority of DoD Instruction 5200.08, implements the policies and minimum standards\nfor the physical security of DoD installations and resources. This regulation applies to all\norganizational entities in the Department of Defense, referred to collectively as \xe2\x80\x9cDoD\nComponents,\xe2\x80\x9d and is mandatory. This regulation addresses the physical security of\npersonnel, installations, facilities, operations, and related resources of DoD Components,\nand provides minimum standards for the protection of resources normally found on\ninstallations. Regulation objectives include standardizing personal identification\nauthentication for DoD installations and facilities, promoting interoperability with other\nFederal entities, and utilizing the DoD PIV credential as the universal authority of\nindividual authenticity. The DoD PIV credential will provide the level of identity\nassurance and Government-wide recognition mandated by HSPD-12. The regulation also\nestablishes DBIDS as an alternative to the CAC.\n\nDoD Directives\nDoD Directive 1000.25, \xe2\x80\x9cDoD Personnel Identity Protection (PIP) Program,\xe2\x80\x9d July 19,\n2004, establishes policy for the implementation and operation of the PIP program\nincluding use of identity information, issuance and use of DoD identity credentials, and\noperation of the Defense Enrollment and Eligibility Reporting System, Real-time\nAutomated Personnel Identification System (RAPIDS) and associated systems, DBIDS,\n\n\n                                             29\n\x0cDefense Cross-Credentialing Identification System, Defense National Visitors Center,\nand the Defense Noncombatant Evacuation Operations Tracking System.\n\nDoD Directive 8190.3, \xe2\x80\x9cSmart Card Technology,\xe2\x80\x9d August 31, 2002, requires that smart\ncard technology applied in the form of a CAC shall be the standard identification card\nand the Department\xe2\x80\x99s primary platform for the Public Key Infrastructure (PKI)\nauthentication token used to access DoD computer networks and systems.\n\nDoD Instructions\nDoD Instruction 8520.2, \xe2\x80\x9cPublic Key Infrastructure and Public Key Enabling,\xe2\x80\x9d April 1,\n2004, assigns responsibility to the ASD(NII/CIO) to serve as the Designated Approving\nAuthority for the DoD PKI; approve or disapprove Department-wide waivers submitted\nby the DoD PKI Program Management Office; and approve DoD use of hardware tokens\nother than the CAC for identity, signature, and encryption certificates. The DoD\nComponent CIOs shall have responsibility to approve or disapprove waiver requests in\naccordance with waiver process guidance and to submit approved waivers to the\nASD(NII/CIO). The Director, DoD PKI Program Management Office, is to review\njustification of requests for hardware tokens other than the CAC for identity, signature,\nand encryption certificates and provide a recommendation for action to the\nASD(NII/CIO). The instruction also requires authentication with certificates issued by\nthe DoD PKI on hardware tokens. A hardware token is defined as a portable, user-\ncontrolled, physical device used to generate, store, and protect cryptographic information\nand to perform cryptographic functions.\n\nDoD Instruction 1000.1, \xe2\x80\x9cIdentity Cards Required by the Geneva Conventions,\xe2\x80\x9d\nJanuary 30, 1974, provides requirements for the form, issuance, and use of identity cards\nrequired by the Geneva Conventions of August 12, 1949, for the protection of war\nvictims.\n\nDoD Memoranda and Task Orders\nDoD Memorandum, \xe2\x80\x9cDiscontinuance of Military Service Number as Personnel\nIdentification,\xe2\x80\x9d January 1967, authorizes the substitution of the Social Security number\nfor the military service number on ID badges and tags throughout DoD when a unique\nidentification of individuals is required.\n\nUSD(P&R) Memorandum, \xe2\x80\x9cCommon Access Card (CAC) Eligibility for Foreign\nNational Personnel,\xe2\x80\x9d March 9, 2007, applies to DoD-sponsored foreign national military,\ngovernment and contractor personnel who are sponsored by their government as part of\nan official visit or assignment to work on a DoD installation or controlled space or\nrequiring access to DoD networks both on site or remotely.\n\nThe Joint Task Force Global Network Operations (JTF-GNO) Communications Task\nOrder 06/02, \xe2\x80\x9cTasks for Phase 1 of the Accelerated Public Key Infrastructure (PKI)\nImplementation,\xe2\x80\x9d January 2006. The task order states that, upon receipt, all DoD\nComponents are directed to accelerate PKI implementation. It explains that ongoing\nintrusion activity has focused on exfiltration of valid usernames and passwords for use in\n\n\n                                            30\n\x0cfurther exploitation and access, presenting a direct danger to the Global Information Grid.\nTask three requires 100-percent compliance with smart card log-on to the NIPRNET\nusing DoD PKI for all Components no later than July 31, 2006. This task applies\nspecifically to the ability to log on to the network, and applies to all desktops, servers,\nand laptops that connect to the NIPRNET.\n\nJTF-GNO Communications Task Order 06/02 Update #3, \xe2\x80\x9cFocused Effort to Secure\nNIPRNet Web Servers,\xe2\x80\x9d September 21, 2006, provides notice to DoD Components of\nenforcement measures to ensure proper configuration of private DoD Web servers and\neliminate all username/password and non-DoD PKI certificate authorities. Task two\nrequires that all Components allow only certificate-based client authentication to private\nDoD Web servers using certificates issued by DoD PKI certificate authorities. These\nactions will affect mission and mission-support systems that are not PKI compliant as\nwell as people who do not have CACs who may require access to PKI-authenticating\nsystems. Individuals without CACs must use either an alternate log-on token or another\napproved method of two-factor authentication. Exceptions will be based on valid\noperational needs, and approved exceptions must be submitted to the JTF-GNO and must\ninclude a Plan of Action & Milestones for mitigation or completion, as well as a\nstatement of operational risk.\n\nMilitary Department Directive\nDepartment of the Navy, Naval Support Activity (NSA) Instruction 5530.1,\n\xe2\x80\x9cIdentification Badges and Passes for Entrance onto the NSA Philadelphia Compound,\xe2\x80\x9d\nMay 31, 1991, states that civilian employees are required to wear ID badges at all times\nwhile on the compound. When entering the compound, pedestrian employees must\npresent their ID badge to the guard to verify the photo and expiration date.\n\nDoD Component Instruction\nDefense Logistics Agency Instruction (DLAI) 5710.1, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d\nAugust 12, 1994, prescribes procedures and minimum standards for the physical\nprotection of DLA personnel, installations, operations, and assets. The instruction states\nthat all DLA activities will establish procedures for the identification and control of\npersonnel and visitors. The DLA ID card is issued to DLA employees and is not meant\nto grant access to security areas; a separate key card or badge should be issued for this\npurpose. The card configuration example indicates that a photo of the cardholder is to be\ndisplayed in the lower left corner of the card. At a minimum, the front of the badge must\ncontain a color photograph; a serial number; issuing activity; the signature of the\nauthenticating official; the signature, name, organization, and height of the holder; and\nthe expiration date of the badge. ID badges for permanent DLA employees and tenant\nactivity personnel bear an expiration date that is no more than 5 years from date of issue.\n\n\n\n\n                                            31\n\x0cAppendix C. Client Comments on the\n   Findings and Audit Response\nUSD(P&R) Comments on the Findings\n\nThe Deputy Under Secretary of Defense (Program Integration) responded for the\nUSD(P&R). Below are excerpts from the draft report, clarifications that the USD(P&R)\nrecommended, and audit responses.\n\nItem 1 (page 2, \xe2\x80\x9cBackground\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cAs of March, 2007, DoD has issued 56 such credentials.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cAs outlined in our March 2008 PIV issuance report to OMB, DoD\nhas issued 108,778 PIV transitional configured CACs.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined the draft report was\naccurate. According to the Department of Defense Status Report updated December 26,\n2007 (downloaded from the Defense Manpower Data Center Web site as of March 2007),\nDoD had issued 56 PIV cards to employees. The Department of Defense Status Report\nupdated April 1, 2008, cites 83,659 PIV cards issued for employees and 25,119 PIV cards\nissued for contractors, totaling 108,778 PIV cards. We have updated the report to reflect\nthe transitional PIV cards issued after the draft report.\n\nItem 2 (page 2, \xe2\x80\x9cInternal Controls\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cImplementing the recommendations made in this report, together with those\ndeveloped for a related audit, Project No. D2007-D000LA-0199, \xe2\x80\x98Controls Over the\nContractor Common Access Card Life Cycle,\xe2\x80\x99 will assist in bringing the Department into\ncompliance. A copy of the final report will be provided to the senior official responsible\nfor internal controls in DoD.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cIt is inappropriate to reference an incomplete audit which draft\nresults have not been shared with organizations engaged with the audit. DoD IG\nrecommendations and findings related to Project No. D2007-D000LA-0199 should be\naddressed by a separate audit through the formal audit review processes.\xe2\x80\x9d\n\nAudit Response. Both reports pertain to transitional PIV cards, and common internal\ncontrol weaknesses should be addressed together. Results of Project D2007-D000LA-\n0199 were shared with OUSD(P&R) on April 15, 2008, however, the results have not yet\nbeen published and, therefore, the reference has been deleted.\n\nItem 3 (page 3, \xe2\x80\x9cDoD Implementation of HSPD-12\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD failed to meet the milestones approved by the Office of Management and\nBudget (OMB) in 2005 for compliance with HSPD-12 by 2010.\xe2\x80\x9d\n\n\n\n                                            32\n\x0cClient Comments. \xe2\x80\x9cDoD has updated its original HSPD-12 Implementation Plan to\nOMB on two occasions (most recently 24 January 2008). OMB approved our initial\nrevision (September 2006) and is currently reviewing our January 2008 revision.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. Auditors requested supporting documentation for the OUSD(P&R)\nassertion that OMB approved the DoD HSPD-12 Implementation Plan revision of\nSeptember 2006; the requested support was not provided. Further, the September 2006\nrevision projected PIV-II transitional initial operational capability would be attained by\nOctober 27, 2006, and full HSPD-12 compliance 3.5 years later (2010). Neither\nprojection will be realized. The most recent DoD HSPD-12 Implementation Plan of\nJanuary 24, 2008, projects full compliance with HSPD-12 by the summer of 2012.\n\nItem 4 (page 5, \xe2\x80\x9cDeadlines for Completion of Background Checks\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cAccording to DoD\xe2\x80\x99s January 2008 implementation plan, as of\nDecember 26, 2007, the following numbers of DoD employees and contractors have not\ncompleted the required background checks: Military/Civilian (1,240,214); contractors\n(196,185); total (1,436,399).\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe numbers provided within the DoD\xe2\x80\x99s January 2008\nImplementation Plan reflected efforts taken to reconcile CAC issuance records with\nJPAS. The 1,436,399 number are records that showed as \xe2\x80\x98unknown\xe2\x80\x99 during this effort,\nbut does not mean that these individuals do not have background investigations. The use\nof the term \xe2\x80\x98have not completed\xe2\x80\x99 is not accurate.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The numbers reported in the Implementation Plan were identified as\nFederal civilian, military, and contract employees requiring NACI or equivalent\nbackground checks that had not previously undergone a NACI. The report noted, as did\nthe January 24, 2008, DoD Implementation Plan, that the numbers might not be accurate\ndue to JPAS data quality.\n\nItem 5 (page 5, \xe2\x80\x9cPrivacy Requirements\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD Geneva Conventions credential for members of the uniformed service\ndoes not comply with HSPD-12 or with Federal policies and requirements to reduce\nidentity fraud and protect personal privacy.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe DoD Geneva Conventions CAC does comply with standards\nissued for HSPD-12 (see FIPS 201-1, Section 4.1.4.4, page 20).\xe2\x80\x9d\n\n               For Zones 9 and 10, departments and agencies are encouraged to use\n               this area prudently and minimize printed text to that which is absolutely\n               necessary.\n\n               In the case of the Department of Defense, the back of the card will have\n               a distinct appearance. This is necessary to display information required\n               by Geneva Accord and to facilitate medical entitlements that are\n               legislatively mandated.\n\n\n                                                 33\n\x0c\xe2\x80\x9cThe additional references in the \xe2\x80\x98Privacy Requirements\xe2\x80\x99 section regarding Social\nSecurity Numbers (SSN) are not specifically related to HSPD-12, associated NIST\npublications, and relevant OMB memoranda (M05-24) on HSPD-12. In fact, the\nAdministration\xe2\x80\x99s initiative to reduce the use and exposure of SSN within the Federal\nGovernment began in April 2007 with the release of the Presidential Task Force on\nIdentity Theft\xe2\x80\x99s strategic plan (and subsequent OMB memo M07-16 22 May 2007).\nUntil FIPS 201-1 is updated to align with new Federal policies related to SSNs, this topic\nis outside the scope of the audit announcement.\n\nDoD has engaged in the effort to decrease the possibility of our Service members\nexposure to identity fraud/theft through the Department\xe2\x80\x99s use of SSN. USD (P&R)\nprovided a Report to Congress that outlines the Department\xe2\x80\x99s plan. We have been\nworking to secure consensus with others within the Department and adjust the necessary\npaperwork to make sure our proposal satisfies the Geneva Conventions requirements. A\ndirective-type memorandum, \xe2\x80\x98DoD Social Security Number Reduction Plan,\xe2\x80\x99 was signed\nby USD (P&R) 29 March 2008.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. HSPD-12 policy specifically mandates the protection of personal\nprivacy and the reduction of identity fraud by establishing a standard for secure and\nreliable forms of identification. Secure and reliable forms of identification are defined in\npart as being strongly resistant to identity fraud. The printing of the entire Social\nSecurity number on PIV credentials does not comply with the objective of HSPD-12 to\nreduce the potential for identity theft. To suggest otherwise is inconsistent with\npresidential and congressional direction to protect personal privacy.\n\nFIPS 201-1 contains Geneva Conventions card requirements for zones 9 and 10.\nFIPS 201-1 encourages that agency-specific text in zones 9 and 10 of PIV cards be\nlimited to text that is absolutely necessary. The printing of the entire Social Security\nnumber on Geneva Conventions cards should be discontinued. The Department\xe2\x80\x99s plan to\ntruncate the visible Social Security number on Geneva Conventions credentials to four\ndigits will reduce the potential for identity theft. The directive-type memorandum signed\nby the USD(P&R) was issued after publication of this draft report. During the formal\ncomment period, the DoD Inspector General did not concur.\n\nItem 6 (page 5, \xe2\x80\x9cPrivacy Requirements\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cNo time table was provided to implement the recommendation, however, nor\ndid the report specify who was responsible for implementation.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cIdentification cards to support Geneva Conventions and\nbenefits/eligibility are clearly the responsibilities of the USD (P&R). Authorship of the\nreport to Congress, \xe2\x80\x98Omission of the SSN from the Department of Defense Military\nIdentification Cards,\xe2\x80\x99 May 23, 2007, was led by the OUSD (P&R) and signed by\nUSD (P&R).\xe2\x80\x9d\n\n\n\n\n                                             34\n\x0cAudit Response. We reviewed client comments and determined that report revisions\nwere not required. We agree identification cards to support Geneva Conventions and\nbenefits and eligibility are clearly the responsibilities of USD(P&R); however, the report\nto Congress does not explicitly state which DoD Component is responsible for\nimplementing the recommendations.\n\nItem 7 (page 6, \xe2\x80\x9cPersonal Identity Verification-II Requirements\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD did not meet the March 2006 PIV-II initial operating capability\nimplementation milestone approved by OMB in the DoD implementation plan, nor did\nDoD meet the October 2006 OMB milestone for final PIV-II implementation.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe reference for the March 2006 PIV-II IOC [initial operational\ncapability] date is unclear. The approved DoD HSPD-12 Implementation Plan states the\nfollowing:\n       \xe2\x80\xa2 DoD achieved \xe2\x80\x9cinitial operational capability (IOC) for PIV I\xe2\x80\x9d by\n          October 27, 2005.\n       \xe2\x80\xa2 DoD achieved \xe2\x80\x9cIOC for PIV II\xe2\x80\x9d with issuance of DoD PIV transitional cards by\n          October 27, 2006.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The DoD HSPD-12 Implementation Plan of June 27, 2007, projected\nPIV-II initial operational capability would be achieved within 9 to 12 months of\npromulgation by the National Institute of Standards and Technology (NIST) of the\nrequired information and the availability of production-quality products that support\nPIV-II. NIST Special Publication 800-73, \xe2\x80\x9cInterfaces for Personal Identity Verification,\xe2\x80\x9d\nwas promulgated in April 2005. March 2006 was the 12-month point for the DoD\nprojected PIV-II initial operational capability. In addition, OMB Memorandum M-05-24,\n\xe2\x80\x9cImplementation of Homeland Security Presidential Directive (HSPD)-12, \xe2\x80\x9cPolicy for a\nCommon Identification Standard for Federal Employees and Contractors,\xe2\x80\x9d\nAugust 5, 2005, required all agencies to begin compliance with PIV-II by\nOctober 27, 2006. DoD was not and is not compliant with PIV-II because DoD\xe2\x80\x99s PIV\ncredential is missing at least two key elements of PIV-II: (1) the mandatory PIV PKI\nauthentication certificate and (2) the DoD PIV applet.\n\nItem 8 (page 8, \xe2\x80\x9cDoD Transitional Credential\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9c. . .workstations to RAPIDS version 7.2 to produce DoD PIV credentials for\nDoD installations in the continental United States by December 12, 2008. No schedule\nfor deployment of updated RAPIDS workstations has been announced for four\ninstallations outside the continental United States, including two in Germany and one\neach in Djibouti and Greenland.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe RAPIDS upgrade schedule to produce DoD PIV credentials for\ncalendar year 2008 includes all OCONUS installations in Europe, Africa, and Asia,\nincluding those referenced in the excerpt. The only workstations that it does not include\nare those portable deployable shipboard and forward deployed units. OUSD (P&R) is\n\n\n\n\n                                            35\n\x0cworking directly with the Services to upgrade these workstations as they return from\ntheater or deployment or have a period of availability.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The installation schedule does include these four locations. However,\nthe notation in the columns \xe2\x80\x9cinstall begin\xe2\x80\x9d and \xe2\x80\x9cinstall end\xe2\x80\x9d for the two Germany\nlocations is \xe2\x80\x9cTBD [to be determined].\xe2\x80\x9d Therefore, they are not considered scheduled.\nThe \xe2\x80\x9cinstall begin\xe2\x80\x9d column contains dates for Djibouti and Greenland. However, the\n\xe2\x80\x9cinstall end\xe2\x80\x9d column indicates \xe2\x80\x9cTBD.\xe2\x80\x9d\n\nItem 9 (page 11, \xe2\x80\x9cDoD Component Implementation Efforts\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cComponents have been authorized to issue Defense Biometric Identification\nSystem (DBIDS) credentials instead of PIV credentials.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cDBIDS is a local or regional perimeter access control system that\nuses the CAC (for those individuals who qualify) and contains local physical access only\nbadging capabilities (for those who do not qualify for a CAC). DBIDS credentials are\nnot issued to those who possess CACs. As such, HSPD-12, associated NIST\npublications, and relevant OMB memoranda (especially M05-24) on HSPD-12 have\nnothing to do with DBIDS. This topic is outside the scope of the audit announcement,\n\xe2\x80\x98DoD Implementation of Homeland Security Presidential Directive-12.\xe2\x80\x99\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. As stated in the draft report, contractors requiring access to DoD\nfacilities and installations for more than 6 months receive DBIDS cards. As stated in\nOMB Memorandum M-05-24, these contractors must receive a PIV credential and are\nsubject to the HSPD-12 required vetting process. In addition, OMB Memorandum M-05-\n24 does not differentiate between physical access to a single facility and physical access\nto multiple facilities.\n\nItem 10 (page 12, \xe2\x80\x9cPhotoless Identification\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cThe Commanding Officer at the Naval Support Station (now Naval Support\nActivity) in Philadelphia, Pennsylvania, issued a waiver for a photo identification badge\nto a Defense Logistics Agency (DLA) employee working at Defense Supply Center-\nPhiladelphia (DSCP) who objected for religious reasons to having his photograph taken\nand displayed on the identification badge.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe badge in questions is not a CAC. It was a locally issued badge\nto facilitate access to the installation. A congressional response dated October 16, 2006\nstated that a special exemption to policy could not be approved through OUSD (P&R), to\nreceive a CAC without a picture, but if the religion could be accommodated in another\nway, then OUSD (P&R) could waive the requirement to receive a CAC. This is the only\ndocumented request across 3.5 million active CACs.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The audit report clearly states that the credential is a Navy\n\n\n\n                                            36\n\x0cidentification badge, and does not imply that it is a CAC. The congressional response\ndated October 16, 2006, does clearly state that a CAC cannot be issued without a photo,\nbut it makes no mention of alternative religious accommodation or of waiving the\nrequirement to receive a CAC.\n\nItem 11 (page 12, \xe2\x80\x9cDBIDS Credentials\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD has authorized Components to issue a DBIDS card to employees and\ncontractors who require only routine physical access. This practice deviates from\nHSPD-12.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cDBIDS cards are not issued to DoD civilian or military personnel\xe2\x80\x93\nthose individuals receive CACs. Identification of those contractors who are to receive a\nPIV card is based on the Department\xe2\x80\x99s determination of the access requirement. DoD has\ndefined eligible CAC contractors in the following manner in the draft \xe2\x80\x98Next Generation\nCAC Implementation Guidance\xe2\x80\x99 directive-type memorandum (DTM), signed into the\nSD 106 staffing process on 6 March 2008\xe2\x80\x9d:\n\n              CAC eligibility for other populations, including DoD contractors, non-\n              DoD Federal civilians, state employees, and other non-DoD affiliates,\n              is based on the government sponsor\xe2\x80\x99s determination of the type and\n              frequency of access required to DoD facilities or networks that will\n              effectively support the mission. To be eligible for a CAC, the access\n              requirement must meet one of the following criteria:\n\n                  \xe2\x80\xa2   The individual requires access to multiple DoD facilities or\n                      access to multiple non DoD Federal facilities on behalf of\n                      DoD (this requirement is applicable to DoD contractors only).\n                  \xe2\x80\xa2   The individual requires both access to a DoD facility and\n                      access to DoD networks on site or remotely.\n                  \xe2\x80\xa2   The individual requires remote access to DoD networks that\n                      use only the CAC logon for user authentication.\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d\nApril 9, 2007, does not specify the type of individuals who will receive a DBIDS card.\nInstead, the Regulation states that the \xe2\x80\x9cDBIDS card shall be issued and authorized for\nroutine, physical access, to a single DoD installation or facility.\xe2\x80\x9d In addition, as the\nclient\xe2\x80\x99s comments state, the \xe2\x80\x9cNext Generation CAC Implementation Guidance\xe2\x80\x9d is a draft\ndocument.\n\nItem 12 (page 12, \xe2\x80\x9cDoD HSPD-12 Policy and Guidance\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD established a working group to develop comprehensive guidance for\nimplementation of HSPD-12, but the group has made only limited progress.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cThe HSPD-12 workgroup has made significant progress since its\ninception. A Deputy Secretary of Defense level Directive Type Memorandum (DTM) on\nHSPD-12 policy is in formal SD106 coordination. In addition, an SD 106 coordination\nrequest was signed by Dr. Chu for a DTM on the \xe2\x80\x98Next Generation CAC Implementation\nGuidance\xe2\x80\x99 on 5 March 2008. Additionally, several sub-working groups have been\n\n\n                                               37\n\x0cestablished and are meeting to directly address issues regarding personnel security and\nvetting criteria in compliance with HSPD-12, and to set standards for access control to\nDoD installations and facilities.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. Members of the HSPD-12 working group expressed frustration with\ndelays in formulating the implementation guidance because of Component disagreements\nand nonconcurrence regarding responsibility for implementation elements. On April 10,\n2008, after issuing the draft report on March 21, 2008, the DoD Office of Inspector\nGeneral received the Draft USD(P&R) Guidance, \xe2\x80\x9cNext Generation Common Access\nCard (CAC) Implementation Guidance in Support of Homeland Security Presidential\nDirective-12 (HSPD-12),\xe2\x80\x9d for coordination. On April 11, 2008, the DoD Office of\nInspector General received for coordination the Draft Deputy Secretary of Defense\nDirective-Type Memorandum (DTM) #2008-006, \xe2\x80\x9cDoD Implementation of Homeland\nSecurity Presidential Directive-12 (HSPD-12).\xe2\x80\x9d Both documents remain in draft and\nunder revision to address concerns of DoD Components other than USD(P&R).\n\nItem 13 (page 12, \xe2\x80\x9cDoD HSPD-12 Policy and Guidance\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cMeanwhile, DoD senior management chose to establish and implement less\nstringent access control requirements than those established by HSPD-12.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cHSPD-12 associated NIST publications, and relevant OMB\nguidance do not provide specific mandates or timetable for the use of HSPD-12\ncredentials to control access to Federal network assets or installations. In fact, the CAC\nwas implemented in 2000 and has provided a secure and reliable identification card prior\nto the release of HSPD-12 so that it is used daily to:\n\n   \xe2\x80\xa2   Facilitate access to DoD facilities and installations around the world.\n\n   \xe2\x80\xa2   Authenticate to 98% of the Department\xe2\x80\x99s unclassified network accounts and\n       100% of the Departments private web servers, web sites, and portals. This has\n       resulted in:\n\n           o Successful intrusions declining 46 percent in the past year because of a\n             requirement that all DOD personnel log on to unclassified networks using\n             CACs, although there are 6 million probes of Defense Department\n             networks a day. (JTF GNO, Lt. Gen. Charles Croom, Federal Computer\n             Weekly article on 25 January 2007)\n\n           o The Number of successful socially engineered e-mail attacks (definition:\n             A socially engineered attack is one in which the user is somehow tricked\n             into doing the attacker\xe2\x80\x99s bidding) against DoD users\xe2\x80\x94a practice known as\n             spear phishing\xe2\x80\x94declining 30 percent in the past year (JTF GNO, Lt. Gen,\n             Charles Croom, Federal Computer Weekly article on 25 January 2007).\xe2\x80\x9d\n\n\n\n\n                                            38\n\x0cAudit Response. We reviewed client comments and determined that report revisions\nwere not required. DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d April 9,\n2007, paragraph C3.3.2. and paragraph C3.3.3., establishes a less stringent access control\nrequirement. DoD Regulation 5200.08-R requires the implementation of DBIDS\nthroughout DoD installations and facilities. As stated in the draft report, DBIDS does not\nmeet the HSPD-12 security and access control requirements. The Director of Security in\nthe Office of the Under Secretary of Defense for Intelligence has agreed to revise and\nremove references to DBIDS from DoD Regulation 5200.08-R.\n\nItem 14 (page 13, \xe2\x80\x9cIssuance of Guidance\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD Regulation 5200.08-R . . . . is inconsistent with HSPD-12 because it\nallows DBIDS and other forms of identification that are not compliant with FIPS 201-1.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cSee remarks in item 16.\xe2\x80\x9d\n\nAudit Response. See audit response for item 16.\n\nItem 15 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control System\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cOMB instructed agencies to be careful not to develop policies that contradict\nHSPD-12 standards for identity proofing and issuance of credentials. HSPD-12 standards\nmandate that all Federal employees and contractors requiring routine access for 180 days\nor greater receive a PIV-compliant credential and undergo a NACI or equivalent\nbackground check. DoD Regulation 5200.08-R authorizes personnel requiring only\nroutine physical access to receive a DBIDS credential and undergo the less rigorous\nNAC. Granting routine access to DoD installations to personnel who have only a NAC\nbackground check does not fully comply with the HSPD-12 policy objective to enhance\nsecurity and protect physical and human capital assets all DoD installations.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cSee remarks in item 16.\xe2\x80\x9d\n\nAudit Response. See audit response for item 16.\n\nItem 16 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control System\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cYet the system does not meet the minimum standards of FIPS 201-1 to verify\nthe claimed identity of individuals seeking physical access to Federal Government\nfacilities . . . . DBIDS uses card readers and scanners that are not on the Approved\nProducts List as required by OMB.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cDBIDS is a local or regional perimeter access control system that\nuses the CAC (for those individuals who qualify) and contains local physical access only\nbadging capabilities (for those who do not qualify for a CAC). DBIDS credentials are\nnot issued to those who possess CACs. As such, HSPD-12, associated NIST publications,\nand relevant OMB memo on HSPD-12 have nothing to do with DBIDS. This topic is\noutside the scope of the audit announcement, \xe2\x80\x98DoD Implementation of Homeland\nSecurity Presidential Directive-12.\xe2\x80\x99\xe2\x80\x9d\n\n\n\n\n                                           39\n\x0cAudit Response. We reviewed client comments and determined that report revisions\nwere not required. According to DoD Regulation 5200.08-R, paragraph C3.3.2., \xe2\x80\x9cthe\nDBIDS card renders a source of identity and verification of affiliation with the\nDepartment of Defense, and is a proven physical access system in accordance with\nReference (r) [FIPS 201-1].\xe2\x80\x9d However, the DBIDS system does not meet the minimum\nstandards of FIPS 201-1, as stated in the draft report. The policy of the Director of\nSecurity in the Office of the Under Secretary of Defense for Intelligence is that all\nupgrades and procurements of access control systems be FIPS 201-1-compliant.\n\nItem 17 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control System\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cNeither the DBIDS system nor the card is configured to operate with HSPD-12\nsecurity features such as PKI certificates, the Card Holder Unique Identifier, and\nbiometrics embedded in the integrated circuit chip of the credential.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cSee remarks in item #18.\xe2\x80\x9d\n\nAudit Response. See audit response for item #18.\n\nItem 18 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control Systems\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cFurther, the use of barcode technology on the DBIDS credential does not\nenhance security because the barcode, a static physical card feature, cannot deter fraud,\nprevent counterfeiting, or protect privacy. . . . DBIDS does not meet the FIPS 201-1\nminimum standards to enhance security, increase Government efficiency, and protect\npersonal privacy.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cSee remarks in item #13. Additionally, individuals who receive\nlocal access badges or DBIDS credentials typically do not receive CACs (e.g., DoD PIV\ncredential). There is no place within HSPD-12, FIPS 201 or OMB M05-24 that specifies\naccess control rules/criteria for physical installations and/or IT assets covering personnel\nwho do not qualify for CACs or Federal PIVs. The type of background investigations\nconducted on these individuals is outside the scope of HSPD-12.\n\nMoreover, PKI is not intended to be used in the physical access control environment.\nDBIDS, which predates HSPD-12, is a complementary not competing system. DBIDS:\n  \xe2\x80\xa2 Went operational on 9/11/2001 in Korea\n  \xe2\x80\xa2 Was built to optimize interoperability through use of bar code technologies\n  \xe2\x80\xa2 Managed risk by using local or regionally stored biometrics for authentication\n      which minimizes risk of fake/fraudulent cards\n  \xe2\x80\xa2 Is scalable to FPCON levels\n  \xe2\x80\xa2 Is able to provide information sharing across a region.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d April 9,\n2007, paragraph C3.3.2. and paragraph C3.3.3., establishes a less stringent access control\nrequirement. DoD Regulation 5200.08-R requires the implementation of DBIDS\nthroughout DoD installations and facilities. The Director of Security in the Office of the\n\n\n                                             40\n\x0cUnder Secretary of Defense for Intelligence has agreed to revise and remove references\nto DBIDS from DoD Regulation 5200.08-R. In the draft report we address only\ncontractors who qualify for a PIV credential but receive a DBIDS credential\xe2\x80\x95for\nexample, contractors who require only routine physical access to a single facility for 6\nmonths or more and qualify for a PIV credential but are given DBIDS cards. In addition,\nFIPS 201-1 states the PIV card can be used to authenticate the cardholder in a physical\naccess control environment.\n\nItem 19 (page 14, \xe2\x80\x9cPhoto Identification Requirements\xe2\x80\x9d)\nExcerpt: The entire section.\n\nClient Comments. \xe2\x80\x9cSee remarks in item #10.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The audit report clearly states that this is a Navy identification badge,\nand does not imply that it is a CAC. The congressional response dated October 16, 2006,\ndoes clearly state that a CAC cannot be issued without a photo, but it makes no mention\nof a religious accommodation in another way or of waiving the requirement to receive a\nCAC.\n\n\n\n\n                                            41\n\x0cUSD(I) Comments on the Findings\n\nThe Director of Security responded for the USD (I). Below are excerpts from the draft\nreport, comments from the USD (I), and audit responses.\n\nItem 1 (page 4, \xe2\x80\x9cAutomated Verification of Status\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDMDC is working . . . to establish an automated capability to verify the status\nof an individual\xe2\x80\x99s background check.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cConcur. As part of the E-GOV initiatives, the Department is\nparticipating in an E-clearance working group to automate and expedite submission of\nSF85P electronically, and is working to find an automated capability so that the issuing\nofficial is able to verify the status of the individual\xe2\x80\x99s background check at time of PIV\nissuance.\xe2\x80\x9d\n\nAudit Response. We have reviewed client comments and determined report revisions\nwere not required.\n\nItem 2 (page 11, \xe2\x80\x9cBackground Checks\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cHowever, the guidance does not address a vetting process for foreign nationals\nrequiring a CAC\xe2\x80\xa6in countries where no international security agreement has been\nestablished, such as Afghanistan and Iraq.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cConcur. The Department is working to define an acceptable vetting\nprocess for foreign nationals requiring a CAC in countries where no international security\nagreement has been established.\xe2\x80\x9d\n\nAudit Response. We have reviewed client comments and determined report revisions\nwere not required.\n\nItem 3 (page 5, Note to table showing DoD Employees and Contractors With Incomplete\nBackground Checks)\n\nClient Comments. \xe2\x80\x9cNonconcur with DMDC\xe2\x80\x99s assertion that the data in JPAS is not\naccurate. We would like to know basis for this assertion.\xe2\x80\x9d\n\nAudit Response. In its \xe2\x80\x9cUpdate Homeland Security Presidential Directive (HSPD)-12\nImplementation Plan,\xe2\x80\x9d January 24, 2008, DMDC included a \xe2\x80\x9cSpecial Note\xe2\x80\x9d on numbers\nof background investigations required. The special note reads as follows:\n               In an effort to improve the fidelity of the Department\xe2\x80\x99s background\n               investigation numbers, DoD and OPM have begun an initiative to\n               analyze and reconcile over 1 million background investigation records.\n               These numbers may not be an accurate reflection of the completed\n               qualifying investigations and be more a reflection of the DoD JPAS\n               data quality received from the Military Services and Defense Agencies.\n\n\n\n                                                42\n\x0cItem 4 (page 11, \xe2\x80\x9cBackground Checks\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD Components have not met NACI background check requirements.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cPartially Concur. The Department mandated the National Agency\nCheck with Law and Credit (NACLC) as the minimum investigation for newly accessed\nservice members; on 1 Oct 2005, the Army implemented this mandate for its military\naccessions. As a result, a large group of earlier accessions have had the Entrance\nNational Agency Check (ENTNAC) conducted. Our initial assessment indicates that\nconducting a NACI on all the individuals who had previously had the ENTNAC\nconducted would place a great financial burden on the Army. In order to make fiscally\nsound decisions, the Department supports the Army request for waiver from the\nimmediate HSPD-12-mandated NACI background checks until members\xe2\x80\x99 current CAC\ncards expire or individuals are due for periodic investigations. In the meantime, the\nDepartment has been working to validate the number that does not meet the NACI\nbackground check requirements. DMDC is continuing to check their database against\nOPM records, as some of the individuals have had investigations conducted which are not\nincluded in their database. Some individuals have had the NACLC conducted, which the\nDepartment considers equivalent to the NACI. Considering the above, when the\nassessment has been completed, the number who has not met NACI background check\nrequirements will be significantly less than initially projected and the Department can\nthen prioritize submission of NACI\xe2\x80\x99s on the remainder.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. DMDC has reported that multiple Defense Components have\nnoncompliant investigation records. Any DoD Component requesting a waiver of\nHSPD-12 NACI requirements should formally document the request and notify OMB.\n\nItem 5 (page 13, \xe2\x80\x9cNACI Requirement\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cDoD Regulation 5200.08-R . . . leaves open such questions as which DoD\nentity should pay for the background checks for contractors, and what kind of\nbackground check is required for foreign nationals.\xe2\x80\x9d\n\nClient Comments. \xe2\x80\x9cRegarding payment for background checks for contractors:\nThere are clearly defined procedures governing how investigations are to be submitted to\nOPM, and how these are billed and financed. Each service is responsible for submitting\nand paying for investigations conducted on their contractors. (Note: This is separate and\ndistinct from investigations required for contractors requiring classified access. Such\ninvestigations are submitted in accordance with the provisions of the National Industrial\nSecurity Program, and are programmed for and funded by the Defense Security\nService.)\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. Guidance for non-Federal employees (contractors or vendors) who\nrequire only routine physical access to DoD installations and who may not previously\nhave been subject to a background investigation should be included in the HSPD-12\n\n\n\n                                           43\n\x0cimplementation guidance. It should be made clear that DoD Components are to follow\nexisting guidance when appropriate for each category of non-Federal employees.\n\nItem 6\n\nClient Comment. \xe2\x80\x9cInsert other appropriate references for physical security, physical\nsecurity equipment and access control authorities.\n\n   \xe2\x80\xa2     DoDD 5143.01, Under Secretary of Defense for Intelligence (USD(I)), Nov 23,\n         2005\n   \xe2\x80\xa2     DoDI 5200.8, Security of DoD Installations and Resources, Dec 10, 2005\n   \xe2\x80\xa2     DoDI 3224.3, Physical Security Equipment (PSE) Research, Development, Test,\n         and Evaluation (RDT&E), Oct 1, 2007\n   \xe2\x80\xa2     DoDD 5200.27, Acquisition of Information Concerning Persons and\n         Organizations not Affiliated with the DoD, Jan 7, 1980 (policy being\n         transferred/incorporated from DoD IG to USD(I)\n   \xe2\x80\xa2     DoDD 5000.1, The Defense Acquisition System, May 12, 2003\n   \xe2\x80\xa2     OSD 12922-05, DoD Policy for Biometric Information for Access to U.S.\n         Installations and Facilities in Iraq, Jul 15, 2005.\xe2\x80\x9d\n\nAudit Response. The requested references appear in the bulleted list above.\n\n\n\n\n                                          44\n\x0cASD NII/CIO Comments on the Findings\n\nThe Deputy Assistant Secretary of Defense, Information and Identity Assurance\nresponded for the ASD(NII)/CIO. His itemized comments and our audit responses\nappear below.\n\nItem 2\xe2\x80\xa0 (page 2, \xe2\x80\x9cBackground\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe following three statements in this paragraph are inaccurate:\n1) \xe2\x80\x98Agencies may elect to implement HSPD-12 through either a transitional3 or an end-\npoint credential\xe2\x80\x99. \xe2\x80\x98Transitional\xe2\x80\x99 and \xe2\x80\x98end-point\xe2\x80\x99 refer to PIV card interfaces and are not\nmentioned in FIPS 201-1 or OMB 05-24. 2) \xe2\x80\x98DoD must achieve the end-point credential\nspecification for all cardholders at some point\xe2\x80\x99. This statement is inferred from\nSP 800-73-1 and is not mentioned in the normative sections of the FIPS 201 standard. 3)\n\xe2\x80\x98OMB has established October 27, 2006 as the date for issuing an initial end-point\ncredential by all nontransitional agencies; however, ...\xe2\x80\x99 According to OMB 05-24, all\nagencies begin compliance with FIPS 201, Part 2 as of October 27, 2006. Issuing PIV\ncards with the end-point card interface is not a stated requirement in the normative\nsections of FIPS 201. There is no milestone date published (in FIPS 201 or SP 800-73)\nfor \xe2\x80\x98Legacy\xe2\x80\x99 PKIs to issue PIV cards with the end-point interface. Recommend rewriting\nthe paragraph to accurately state the PIV card issuance and implementation requirements\nas listed in FIPS 201, Part 1 & 2, and the implementation milestones published in the\nOMB memo 05-24.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. As stated in FIPS 201-1, the interfaces and card architecture for\nstoring and retrieving identity credentials from a smart card are specified in NIST Special\nPublication 800-73, \xe2\x80\x9cInterfaces for Personal Identity Verification,\xe2\x80\x9d March 2006.\nNIST SP 800-73 states that a FIPS 201-1 PIV-II card specification is described in Part 3\nof SP 800-73, and all agencies must ultimately comply with Part 3 in accordance with the\nschedule provided by OMB in its Memorandum M-05-24.\n\nItem 3\n\nClient Comments. \xe2\x80\x9cThe definition of \xe2\x80\x98credential\xe2\x80\x99 specified in the glossary of the report\nis inaccurate and unreferenced. It is unclear to the reader of the report why a definition of\n\xe2\x80\x98credential\xe2\x80\x99 is needed in the report at this time. If a definition of credential is needed,\nrecommend the definition in NIST\xe2\x80\x99s SP 800-63-3 \xe2\x80\x98Electronic Authentication Guidelines\xe2\x80\x99\nis used. Recommend removing the footnote and the definition from the glossary.\xe2\x80\x9d\n\n\n\n\n\xe2\x80\xa0\n    Item 1 refers to a recommendation, rather than to the finding.\n\n\n                                                       45\n\x0cAudit Response. We reviewed client comments and determined that report revisions\nwere not required. See FIPS 201-1, Appendix F \xe2\x80\x93 Glossary of Terms, Acronyms, and\nNotations, for the definition of \xe2\x80\x9ccredential.\xe2\x80\x9d\n\nItem 4\n\nClient Comments. \xe2\x80\x9cThe definition of \xe2\x80\x98interoperability\xe2\x80\x99 specified in the glossary of the\nreport is incomplete and unreferenced. It is unclear to the reader of the report why a\ndefinition of \xe2\x80\x98interoperability\xe2\x80\x99 is needed in the report at this time. The PIV card will be\ninteroperable with Federal government physical or logical access control systems based\non compliance with the FIPS standard. Recommend removing the footnote and the\ndefinition from the glossary.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. See FIPS 201-1, Appendix F \xe2\x80\x93 Glossary of Terms, Acronyms, and\nNotations, and NIST 800-73-1, Section 1.3, for the definition of \xe2\x80\x9cinteroperability.\xe2\x80\x9d\n\nItem 5 (page 3, first paragraph 1)\n\nClient Comments. \xe2\x80\x9cThis paragraph is inaccurate and confusing. The impression left\nwith the reader is that DoD has failed to accomplish any of the PIV Part 1 or PIV Part 2\nrequirements. The term \xe2\x80\x98strategic pause\xe2\x80\x99 is not defined or explained, yet is is listed as the\nreason for missing critical milestones. The term \xe2\x80\x98HSPD-12 minimum standards\xe2\x80\x99 is used\nbut it is not clear what minimum standards are being referenced. The word \xe2\x80\x98transitional\xe2\x80\x99\nis used however there is no definition or context to provide the reader with an\nunderstanding of its meaning. HSPD-12 is a federal directive to develop and implement a\nstandard identity credential. The phrase \xe2\x80\x98DoD has not met HSPD-12 minimum standards\nfor its transitional program\xe2\x80\x99 has no relevance to implementing required Agency actions in\nAtch A, para 2b of OMB 05-24 From the paragraph, the reader is led to assume that\nthere is a requirement for agency\xe2\x80\x99s to centrally fund HSPD-12 implementation. There is\nnot such requirement in HSPD-12 or the OMB-05-24. Recommend rewriting the\nparagraph and conclusions based on supportable evidence. For example: DoD has not\nbeen able to fully comply with the Agency actions (milestones) involving background\ninvestigation, as identified in Atch A , para 3B of OMB 5-24. Failure to fully complete\nthese actions could delay obtaining the full benefit of having HSPD-12/FIPS 201\ncompliant credentials issued to all eligible DoD recipients.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The January 2008 update of the DoD HSPD-12 Implementation Plan\nstates that in April 2007 DoD instituted a strategic pause. The strategic pause directly\naffected DoD\xe2\x80\x99s ability to support HSPD-12. FIPS 201-1, parts I and II, establishes\n\xe2\x80\x9cHSPD-12 minimum standards.\xe2\x80\x9d OMB required all agencies to begin issuing compliant\ncredentials by October 27, 2006, either through the services of GSA and the Department\nof Interior or by performing this function internally. DoD\xe2\x80\x99s internal transitional program\nwas not exempt from this requirement. DoD transitional status does allow DoD\nadditional time to obtain full operational capability because of the large volume of\n\n\n\n                                             46\n\x0ccompliant credentials to be issued. In the report glossary, Appendix D, we have included\nthe definition of \xe2\x80\x9ctransitional.\xe2\x80\x9d The report does not state that centralized funding is\nrequired. However, we requested that USD(I) and USD(P&R) consider implementing\ncentral funding.\n\n\nItem 6 (page 3, paragraph 3)\n\nClient Comments. \xe2\x80\x9cThe fact that DMDC had to declare a \xe2\x80\x98strategic pause\xe2\x80\x99 indicates that\nthere was a plan to transition the existing DoD CAC issuance infrastructure to a FIPS 201\ncompliant configuration within the mandated timeframe. The report discounts any credit\nfor attempting to comply with FIPS 201 or for informing OMB of DoD\xe2\x80\x99s progress toward\nthe milestones and the challenges that DOD encountered. In the discussion of the\n\xe2\x80\x98strategic pause\xe2\x80\x99 in this paragraph, recommend a fuller investigation of the reasons for the\n\xe2\x80\x98strategic pause.\xe2\x80\x99 Given that there was an original plan that assumedly would have\naccomplished OMB milestones, the reasons for declaring a pause would be illustrative to\nDoD leadership, especially if further investigation could identify occurrences of flaws in\nplanning, ineffective internal management, funding challenges or the indications of lack\nof leadership buy-in or oversight.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. Our report discusses the impact of the strategic pause on\nimplementing HSPD-12 milestones, and we did not review the reasons for instituting the\nstrategic pause.\n\nItem 7 (page 4, \xe2\x80\x9cAutomated Verification of Status\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe statement \xe2\x80\x98. . . DoD does not intend to produce identity\ncredentials that will include an electronic indication\xe2\x80\xa6\xe2\x80\x99 is misleading and\nunsubstantiated. It is apparently taken from a September 2006 update in the\n[JANDODPLAN]. Further investigation of the most current plans for issuing the DoD\xe2\x80\x99s\nPIV credential would uncover that the investigation status of the DoD PIV card recipient\nwill be electronically distinguishable to systems interfacing with the card. The final\nsentence in the paragraph leads the reader to believe that DoD has not and never intended\nto comply with this FIPS 201 Part II requirement. The discussion of Auto Verification\nStatus in this paragraph appears to be quite limited and does not give any indication of\nthe enormity of the task required to make IT systems from disparate Federal Agencies\n(i.e. DoD, DSS, OPM, FBI) electronically communicate, the cost, time and manpower it\ntakes to initiate required investigations of employees or \xe2\x80\x9cCAC eligible\xe2\x80\x9d contractors or the\nlead time and development risks involved with restructuring the CAC issuance\ninfrastructure. Establishing an electronic mechanism to check the investigation status of\na credential recipient at the time of credential issuance, in real time, continues to be a\nformidable challenge and one that is continuing to be pursued. Recommend this\nparagraph be removed from the report.\xe2\x80\x9d\n\n\n\n\n                                            47\n\x0cAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The updated January 2008 DoD HSPD-12 Implementation Plan did\nnot update the status of the NACI indicator, and we were not provided with information\nto the contrary.\n\nItem 8 (page 4, \xe2\x80\x9cDeadlines for Completion of Background Checks\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThis paragraph gives no indication about how the failure to comply\nwith the stated OMB milestones impacts either the effectiveness of DoD\xe2\x80\x99s HSPD-12\nimplementation, the quality and security of the PIV credential or DoD employee\xe2\x80\x99s ability\nto interoperate with physical access or logical IT systems. The impression left with the\nreader is that DoD has failed to accomplish this requirement and that has left DoD with a\nworthless and non-functional credential. Recommend this paragraph is rewritten to\nprovide some \xe2\x80\x98leadership relevant\xe2\x80\x99 information. A discussion of the immediate and\nlonger term impacts of the failure to initiate appropriate background investigations needs\nto be included in this paragraph. For instance, Can the milestone failure be viewed as a\n\xe2\x80\x98symptom\xe2\x80\x99 of the Department\xe2\x80\x99s lack of strong centralized management or funding of the\nHSPD-12 mandate?, poor coordination between DoD organizations?, or lack of DoD\nleadership emphasis at the highest levels?\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. We reported that DoD did not meet the OMB deadline of October 27,\n2007, for background checks for employees and contractors employed for less than 15\nyears. DoD should assess the impact and take the necessary management steps to comply\nwith HSPD-12.\n\nItem 9 (page 5, \xe2\x80\x9cPrivacy Requirements\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe Privacy Requirements (PrivRqmts) section of the report makes\nno mention of any of the privacy related requirements mentioned in OMB memo 05-24 or\nFIPS 201. Neither does the report identify the extent to which the DoD\xe2\x80\x99s implementation\nhas accomplished compliance with HSPD-12 privacy requirements. While it may be in\nthe purview of the DODIG to mention other privacy related issues involving the content\nor topology of the HSPD-12 credential, to have only discussion of the findings and\nshortcomings of the DoD SSN reduction effort in the PrivRqmts section of the HSPD-12\nreport is confusing to the reader and does not provide a clear tie between DoD\xe2\x80\x99s Geneva\nConvention Identification Card, the Common Access Card or DoD\xe2\x80\x99s PIV-compliant\ncredential. The applicability and impacts of SSN reduction on the HSPD-12 requirement\nis left to the reader to figure out. The finding stated in the 2nd to last sentence of\nparagraph 10, \xe2\x80\x98The current appearance of DoD\xe2\x80\x99s Geneva Convention credential\nunnecessarily compromises....,\xe2\x80\x99 is an unsubstantiated and unsupported assertion and\nshould be removed from the report. This statment is inappropriate for this report without\nan investigation of what are the topographical requirements for a Geneva Conventions\nCard and why is DoD\xe2\x80\x99s Geneva Conventions card currently produced with this\ninformation. Recommend separating the discussion and findings regarding the DoD SSN\nreduction effort into a separate section of this report with a descriptive section heading\n\n\n\n                                            48\n\x0cthat is distinct from a HSPD-12/PIV privacy discussion. Recommend the SSN reduction\nsection include specific discussion that identifies the relationship between the DoD\nGeneva Convention Identification Card, the DoD CAC and DoD\xe2\x80\x99s PIV compliant\ncredential and why the advance of technology has created vulnerabilities by exposing the\nSSN and other PII on identification credentials.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The USD(P&R) is taking the necessary actions to address privacy\nconcerns with the next-generation PIV-related Geneva Conventions credential. For\nadditional information, see USD(P&R) comments, Appendix C, Item #5.\n\n\nItem 10 (page 6, \xe2\x80\x9cDoD PIV PKI Authentication Certificate\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe PKI PMO decided to develop a fourth DoD PKI certificate to\nmeet PIV requirements because modifying existing DoD PKI certificates presented\nunacceptable operational impacts to the DoD PKI. As a legacy PKI (defined in section\n5.4.4 of FIPS 201), DoD has lobbied agressively and gained NIST\xe2\x80\x99s acceptance of\nproposed FIPS 201 changes that would allow legacy PKIs to continue to assert Legacy\nPKI policy OIDs [object identifiers]. Alternative acceptable OIDs will not materially\naffect the the security characteristics or interoperable use of the PIV issued PKI\ncertificates and provides legacy PKIs, such as DoD, with much needed clarity on the\nimplementation of the PIV standard. However, NIST has not as yet made the change to\nFIPS 201 for unrelated reasons. DoD\xe2\x80\x99s inability and unwillingness to make adjustments\nto the DoD PKI Certificate Policy to align with the Federal Common Policy are based on\nspecific, unacceptable impacts to DoD missions and operations. In an effort to\ncompromise and be able to become fully PIV compliant with the FIPS in the future, DoD\nrequested two changes to the Federal Common Policy. The Federal PKI Policy Authority\nhas acknowledged the rationale for and accepted the changes in principle, but has not as\nyet voted on the requested changes. A vote must come from the full Federal PKI Policy\nAuthority. This issue is now out of the control of DoD. The 2nd to last sentence in\nparagraph 14 is a misquote from the [JANDODPLAN] (page 11). This misquoted\nsentence, \xe2\x80\x98DoD plans to use common policy object identifiers in the PIV PKI\nauthentication certificate only one year after FIPS is revised to meet DoD objections\xe2\x80\x99,\ncomes from the Sept 2006 update regarding the optional Digital Signature certificate, not\nthe PIV Authentication. In the misquoted sentence the word \xe2\x80\x98only\xe2\x80\x99 is inserted giving the\nreader the impression that DoD intends to assert the FedCommon Policy OIDs for a\nsingle year. All actions and decisions made by DoD regarding compliance with the FIPS\nrequirements for the PIV Auth [authentication] certificate have been within its purview\nand with the intention of becoming fully PIV compliant at some point in the future. With\nthis in mind, recommend these paragraphs are rewritten to include a discussion of DoD\nPKI efforts regarding the PIV Auth certificate requirement and a review and\nconsideration of the justification for those efforts as stated in the [JANDODPLAN].\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. We reported that proposed changes have been submitted to the\n\n\n\n                                           49\n\x0cFederal PKI Policy Authority for approval but that no date has been established for\nconsideration of the two modifications. Further, we have received no indication that the\nchanges will be promulgated in policy. We did not use the phrase \xe2\x80\x9cfor only 1 year.\xe2\x80\x9d We\nused \xe2\x80\x9conly 1 year\xe2\x80\x9d to emphasize that DoD will not assert Common Policy object\nidentifiers until 1 year after FIPS 201-1 or Common Policy is modified.\n\n\nItem 11 (page 11, \xe2\x80\x9cDoD Component Implementation Efforts\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe 1st sentence in the paragraph, \xe2\x80\x98HSPD-12 requires that access to\nFederal facilities or information systems be granted only to Federal employees and\ncontractors with secure and reliable credentials.\xe2\x80\x99, does not accurately paraphrase direction\nstated in either HSPD-12 or OMB 05-24 regarding use of standard identity credentials to\naccess facilities or information systems. In HSPD-12 and OMB 05-24, direction states\nthat personnel (both government employees and eligible contractors) will use the\nstandard credential for physical and logical access to Federal resources. These references,\nhowever, do not restrict access to Federal facilities or Federal Information systems to\nonly holders of a PIV-compliant credential. Recommend rewriting the paragraph to\nrestate the HSPD-12 and OMB direction more accurately.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and have edited \xe2\x80\x9cHSPD-12 requires that\naccess to Federal facilities or information systems be granted only to Federal employees\nand contractors with secure and reliable credentials.\xe2\x80\x9d The sentence now reads: \xe2\x80\x9cHSPD-\n12 requires that access to Federal facilities or information systems be granted to Federal\nemployees and contractors based on secure and reliable forms of identification that meet\nthe Federal standard established by the Secretary of Commerce.\xe2\x80\x9d\n\nItem 12 (page 11, \xe2\x80\x9cDoD Component Implementation Efforts and Background Checks\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe 2nd sentence in paragraph 3 is inaccurate and misleading. A\nmore accurate phrasing of the issue would be to say that the percent of completion of the\ntask (OMB 05-24, Atchmt A, para 3.B) to initiate the NACI background investigations\nfor current DoD civilian employees, military members and eligible contractors varys\nbetween the Components. In the first sentence of paragraph 4, it has to be assumed by the\nreader that the report is again refering to the same OMB 05-24 task. Lack of accurate\nreferences called out in the report make it difficult to understand the relevance and\nmeaning of statements in the report. Recommend rewriting the report to include relevant\nreferences to all HSPD-12, FIPS 201 or OMB established requirements. These\nrequirements are the basis for determining DoD\xe2\x80\x99s compliance or consistency and should\nbe clearly identified.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. The second sentence of paragraph 3 on page 11 is accurate and not\nmisleading. OMB Memorandum M-05-24, Attachment A, Table 2B, states that by\nOctober 27, 2007, agencies are to verify and/or complete required background\n\n\n\n\n                                            50\n\x0cinvestigations for all current employees and contractors employed less than 15 years.\nDoD failed to meet the requirement.\n\nItem 13 (page 12, \xe2\x80\x9cDBIDS Credentials\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe finding in this paragraph is unsubstaniated and inaccurate.\nEmpirical or anecdotal evidence is not provided to corroborate the finding. Issuance of a\nphysical access only credential to contractor personnel with a routine requirement for\nonly physical access to facilities is allowed under the OMB 05-24,Atchmt A, para 1.C.\nDBIDS cards should not have been issued to DoD employees in lieu of the CAC. If this\ndid happen, it should have been noted as a procedural error and corrected as soon as\nnoted. Recommend removing this paragraph from the report.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. We disagree that issuance of a physical-access-only credential to\ncontractor personnel with a routine requirement for only physical access to facilities is\nallowed under OMB Memorandum M-05-24, Attachment A, paragraph 1.C. This\nparagraph states that HSPD-12 applies to \xe2\x80\x9cindividuals under contract to a department or\nagency requiring routine access to federally controlled facilities and/or federally controlled\ninformation systems to whom you would issue Federal agency identity credentials, consistent\nwith your existing security policies\xe2\x80\x9d and \xe2\x80\x9cdoes not apply to individuals under contract to a\ndepartment or agency, requiring only intermittent access to federally controlled facilities.\xe2\x80\x9d\n\nItem 14 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control System\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThis paragraph misrepresents the referenced direction from\nDoD Regulation 5200.08-R. From how this paragraph is worded, the reader is led to\nbelieve that 5200.08-R directs that all DoD employees and contractors authorized routine\nphysical access to a single installation should be issued a DBIDS card in lieu of a CAC.\nWhile it is conceded that para C.3..3.2 in DoD 5200.08-R applies to personnel with only\nsingle installation access requirements and there may be DoD employees that only need\naccess to a single federal facility to perform their job, it should recognized that\nDoD 5200-08-R does not override the requirement to issue a CAC to all DoD employees.\nRecommend removing this paragraph from the report.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. DoD Regulation 5200.08-R states that the DBIDS card shall be issued\nand authorized for routine, physical access to a single DoD installation or facility. The\nRegulation does not specify the category of employees or contractors to receive the\nDBIDS card. OUSD(I) has agreed to remove paragraph C3.3.2. in its entirety.\n\n\nItem 15 (page 13, \xe2\x80\x9cDBIDS Credential and Physical Access Control System\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe DBIDS access control system and the accompying DBIDS\ncredential was never intended to be a PIV compliant credential and therefore should not\nhave comply with the full gamut of PIV Part I or II requirements. To a lesser assurance\n\n\n                                             51\n\x0clevel than asserted by the CAC or a PIV-compliant credential, the DBIDS credential, due\nto its registration and issuance process, can adeqately verify the claimed identity of\nindividuals seeking access to facilities. Even though it was developed prior to FIPS 201,\nthe DBIDS credential issuance incorporates elements of two of the four PIV Part I control\nobjectives, (i.e. rapidly authenticated electronically and issued by accredited and\nauthoritative credential providers). Recommend removing these paragraphs from the\nreport.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. USD(I) has responsibility for DoD physical access control policy and\nhas stated that DoD Regulation 5200.08-R will be revised to require all electronic access\ncontrol systems to meet HSPD-12 and OMB guidance.\n\nItem 16 (page 14, \xe2\x80\x9cPhoto Identification Requirements\xe2\x80\x9d)\n\nClient Comments. \xe2\x80\x9cThe discussion in these paragraphs has more to do with a lack of\nDepartment internal controls over credentialing processes than compliance with OMB\n05-24, HSPD-12 or FIPS 201. The situation, as described is regrettable and does point\nout the interrelated nature of credentialing, access control and proofing and vetting of\npersonnel. Recommend separating the discussion regarding issuance of a photoless ID\nprior to HSPD-12 into a separate section of this report. The section should also inform\nDoD leadership of the critical need to synchronize identity related activities across the\nDepartment under an Identity Management Principal Staff Assistant.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. We agree that DoD leadership should be informed of the critical need\nto coordinate identity-related activities across the Department.\n\n\n\n\n                                            52\n\x0cAppendix D. Glossary\n1) Access Control - The process of granting or denying specific requests: 1) obtain and\nuse information and related information processing services; and 2) enter specific\nphysical facilities (e.g., Federal buildings, military establishments, border crossing\nentrances).\n\n2) Certificate Revocation List - A list of revoked public key certificates created and\ndigitally signed by a certification authority.\n\n3) Credential - Evidence attesting to one\xe2\x80\x99s right to credit or authority; in this standard, it\nis the PIV card and data elements associated with an individual that authoritatively bind\nan identity (and, optionally, additional attributes) to that individual.\n\n4) Common Policy - Policy framework governing the Public Key Infrastructure (PKI)\ncomponent of the Federal Enterprise Architecture. The policy framework incorporates\nsix specific certificate policies: a policy for users with software cryptographic modules, a\npolicy for users with hardware cryptographic modules, a policy for devices, a\nhigh-assurance user policy, a user authentication policy, and a card authentication policy.\n\n5) End-point - Status granted to agencies without a smart card program; has all the\nelements required for PIV compliance.\n\n6) Federal Bridge Certification Authority - Consists of a collection of Public Key\nInfrastructure components (Certificate Authorities, Directories, Certificate Policies and\nCertificate Practice Statements) that are used to provide peer to peer interoperability\namong principal entity certification authorities.\n\n7) Interoperability - allows any Government facility or information system, regardless of\nthe PIV issuer, to verify a cardholder\xe2\x80\x99s identity using the credentials on the PIV card; the\nuse of PIV identity credentials such that client-application programs, compliant card\napplications, and compliant integrated circuit cards can be issued interchangeably by all\ninformation-processing systems across Federal agencies.\n\n8) National Agency Check (NAC) - The NAC is part of every NACI. Standard NACs are\nSecurity/Suitability Investigations Index, Defense Clearance and Investigation Index, FBI\nName Check, and FBI National Criminal History Fingerprint Check.\n\n9) National Agency Check with Inquiries (NACI) - The basic and minimum investigation\nrequired on all new Federal employees; consists of a NAC with written inquiries and\nsearches of records covering specific areas of an individual\xe2\x80\x99s background during the past\n5 years (inquiries sent to current and past employers, schools attended, references, and\nlocal law enforcement authorities). Coverage includes employment, 5 years; education, 5\nyears and highest degree verified; residence, 3 years; references; law enforcement, 5\nyears; and NACs.\n\n\n\n                                              53\n\x0c10) NextUpdate - Time required by the Common Policy to update the Certificate\nRevocation List.\n\n11) Object Identifiers - A specialized formatted number that is registered with an\ninternationally recognized standards organization, the unique alphanumeric/numeric\nidentifier registered under the ISO registration standard to reference a specific object or\nobject class. In the Federal PKI, object identifiers are used to uniquely identify certificate\npolicies and cryptographic algorithms.\n\n12) PIV end-point applet - program that will allow the end-point scanners and readers to\nread and retrieve end-point information from the DoD PIV credential. This is DoD\xe2\x80\x99s\nsolution to comply with HSPD-12 interoperability requirements.\n\n13) PIV authentication certificate - shall be an asymmetric private key supporting card\nauthentication for an interoperable environment; is mandatory for each PIV Card.\n\n14) Public Key Infrastructure (PKI) - A support service to the PIV system that provides\nthe cryptographic keys needed to perform digital signature-based identity verification and\nto protect communications and storage of sensitive verification system data within\nidentity cards and the verification system.\n\n15) Transitional - Status granted to agencies with smart card programs as an intermediate\nstep; transitional credential is not end-point compliant.\n\n\n\n\n                                             54\n\x0cAppendix E. List of Acronyms and\n   Abbreviations\nASD(NII)/CIO   Assistant Secretary of Defense for Networks and Information\n                       Integration/DoD Chief Information Officer\nASD            Assistant Secretary of Defense\nAOR            Area of Responsibility\nCAC            Common Access Card\nCIOs           Chief Information Officers\nCI&S           Counterintelligence and Security\nCONUS          Continental United States\nCRL            Certificate Revocation List\nDASD(IIA)      Deputy Assistant Secretary of Defense (Information and Identity\n                       Assurance)\nDBIDS          Defense Biometrics Identification System\nDHRA           Defense Human Resource Agency\nDHS            Department of Homeland Security\nDLA            Defense Logistics Agency\nDLAI           Defense Logistics Agency Instruction\nDMDC           Defense Manpower Data Center\nDoD            Department of Defense\nDoDD           Department of Defense Directive\nDoDI           Department of Defense Instruction\nDoD IG         Department of Defense Inspector General\nDSCP           Defense Supply Center Philadelphia\nDSS            Defense Security Service\nDTM            Directive Type Memorandum\nE-GOV          Electronic Government\nENTNAC         Entrance National Agency Check\nEUCOM          European Command\nFBI            Federal Bureau of Investigation\nFIPS           Federal Information Processing Standards\nFPCON          Force Protection Condition\nFY             Fiscal Year\nGAO            Government Accountability Office\nGSA            General Services Administration\nHSPD-12        Homeland Security Presidential Directive-12\nID             Identification\nIOC            Initial Operational Capability\nIT             Information Technology\nJANDODPLAN     January 2008 DoD Implementation Plan\nJPAS           Joint Personnel Adjudication System\nJTF-GNO        Joint Task Force Global Network Integration\nNAC            National Agency Check\n\n\n                                   55\n\x0cNACI        National Agency Check with Written Inquiries\nNACLC       National Agency Check with Law and Credit\nNIPRNET     Non-Classified Internet Protocol Router Network\nNIST        National Institute of Standards and Technology\nNSA         Naval Support Activity\nOCONUS      Outside Continental United States\nOIDs        Object Identifiers\nOMB         Office of Management and Budget\nOPM         Office of Personnel Management\nOSD         Office of the Secretary of Defense\nOUSD(I)     Office of the Under Secretary of Defense for Intelligence\nOUSD(P&R)   Office of the Under Secretary of Defense for Personnel and\n                    Readiness\nPACs        Physical Access Controls\nPACOM       Pacific Command\nPII         Personally Identifiable Information\nPIV         Personal Identity Verification\nPKI         Public Key Infrastructure\nPMO         Program Management Office\nPSAs        Principal Staff Assistants\nRAPIDS      Real-time Automated Personnel Identification System\nRSA         Rivest, Shamir, and Adleman\nSSN         Social Security Number\nUSD(AT&L)   Under Secretary of Defense for Acquisition, Technology, and\n                    Logistics\nUSD(I)      Under Secretary of Defense for Intelligence\nUSD(P)      Under Secretary of Defense for Policy\nUSD(P&R)    Under Secretary of Defense for Personnel and Readiness\n\n\n\n\n                                56\n\x0cUnder Secretary of Defense for Personnel and Readiness\nComments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  57\n\x0cClick to add JPEG file\n\n\n\n\n               58\n\x0cClick to add JPEG file\n\n\n\n\n               59\n\x0cClick to add JPEG file\n\n\n\n\n               60\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 1\n\n\n\n\nClick to add JPEG file\n\n\n\n                         page 4\n\n\n\n\n               61\n\x0c                         Final Report\n                          Reference\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               62\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 15\n\n\n\n\n                         page 16\n\n\n\n\nClick to add JPEG file\n\n\n\n                         page 16\n\n\n\n\n               63\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 16\n\n\n\n\n                         page 16\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         page 17\n\n\n\n\n                         page 17\n\n\n\n\n               64\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 17\n\n\n\n\n                         page 17\nClick to add JPEG file\n\n                         pages 17, 18\n\n\n\n\n               65\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         pages 18, 19\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               66\n\x0cUnder Secretary of Defense for Intelligence Comments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  67\n\x0cClick to add JPEG file\n\n\n\n\n               68\n\x0cClick to add JPEG file\n\n\n\n\n               69\n\x0cClick to add JPEG file\n\n\n\n\n               70\n\x0c                           Final Report\n                            Reference\n\n\n\n\nClick to add JPEG file\n\n\n\n                         page 15\n\n\n\n\n               71\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 17\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               72\n\x0cAssistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer\nComments\n\n\n\n\n                    Click to add JPEG file\n\n\n\n\n                                   73\n\x0cClick to add JPEG file\n\n\n\n\n               74\n\x0c                           Final Report\n                            Reference\n\n\n\n\nClick to add JPEG file\n                         page 53\n\n\n\n\n               75\n\x0cClick to add JPEG file\n\n\n\n\n               76\n\x0cClick to add JPEG file\n\n\n\n\n               77\n\x0c                           Final Report\n                            Reference\n\n\n\n\nClick to add JPEG file\n\n\n                         page 15\n\n\n\n\n                         page 15\n\n\n\n\n               78\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         page 16\n\n\n\n\nClick to add JPEG file   page 17\n\n\n\n\n                         pages 17, 18\n\n\n\n\n               79\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         pages 18,19\n\n\n\n\n                         page 22\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               80\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the Department of\nDefense Office of Inspector General who contributed to the report are listed below.\n\nDonald A. Bloomer\nKathryn Truex\nRobert R. Johnson\nCelia J. Harrigan\nGloria Young\nBradley M. Heller\nGiormary Peluyera\nLeBarron Durant\nBryan T. Clark\nXavier R. Zayas\nAllison E. Tarmann\n\x0c\x0c"